From 63ea57a7961728f3be15e18c28898ddf7ba32450 Mon Sep 17 00:00:00 2001
From: John Bowler <jbowler@acm.org>
Date: Mon, 28 Dec 2015 16:15:36 -0800
Subject: [PATCH] Add NULL pz->list test to png_zlib_compress_validate

This seems safer; in fact a NULL dereference never happens because the test ends
up just doing arithmetic on NULL but it seems possible that the undefined
arithmetic can still happen if there is a bug elsewhere.

Signed-off-by: John Bowler <jbowler@acm.org>
---
 pngwutil.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pngwutil.c b/pngwutil.c
index 2674b9fb8..916f02a13 100644
--- a/pngwutil.c
+++ b/pngwutil.c
@@ -484,8 +484,9 @@ png_zlib_compress_validate(png_zlib_compressp pz, int in_use)
    {
       affirm((pz->end == &pz->list && pz->zs.next_out == NULL
               && pz->zs.avail_out == 0U) ||
-             (pz->end == &pz->list->next && pz->zs.next_out == pz->list->output
-              && pz->zs.avail_out == o_size));
+             (pz->list != NULL && pz->end == &pz->list->next &&
+              pz->zs.next_out == pz->list->output &&
+              pz->zs.avail_out == o_size));
    }
 
    else /* not empty */