[libpng15] Fixed undefined behavior in png_push_save_buffer(). Do not call

memcpy() with a null source, even if count is zero (Leon Scroggins III).
2025-07-10 18:04:09 +02:00 · 2016-06-03 21:26:43 -05:00 · 2016-06-03 21:26:43 -05:00 · 6ddc038db9
commit 6ddc038db9
parent c1ac308d12
3 changed files with 15 additions and 6 deletions
--- a/6
+++ b/6
@ -1,5 +1,5 @@
-Libpng 1.5.28beta01 - May 31, 2016
+Libpng 1.5.28beta01 - June 4, 2016
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@ -26,8 +26,10 @@ Other information:
 Changes since the last public release (1.5.27):
-version 1.5.28beta01 [May 31, 2016]
+version 1.5.28beta01 [June 4, 2016]
  Merge with current libpng16 pngvalid.c
  Fixed undefined behavior in png_push_save_buffer(). Do not call
    memcpy() with a null source, even if count is zero (Leon Scroggins III).
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/4
+++ b/4
@ -4496,8 +4496,10 @@ version 1.5.27rc01 [May 14, 2016]
 version 1.5.27 [May 26, 2016]
  No changes.
-version 1.5.28beta01 [May 31, 2016]
+version 1.5.28beta01 [June 4, 2016]
  Merge with current libpng16 pngvalid.c
  Fixed undefined behavior in png_push_save_buffer(). Do not call
    memcpy() with a null source, even if count is zero (Leon Scroggins III).
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/pngpread.c
+++ b/pngpread.c
@ -1,8 +1,8 @@
 /* pngpread.c - read a png file in push mode
 *
- * Last changed in libpng 1.5.23 [July 23, 2015]
+ * Last changed in libpng 1.5.28 [(PENDING RELEASE)]
- * Copyright (c) 1998-2002,2004,2006-2015 Glenn Randers-Pehrson
+ * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
 * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
 * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
 *
@ -628,7 +628,12 @@ png_push_save_buffer(png_structp png_ptr)
         png_error(png_ptr, "Insufficient memory for save_buffer");
      }
-      png_memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
+      if (old_buffer)
         png_memcpy(png_ptr->save_buffer, old_buffer,
            png_ptr->save_buffer_size);
      else if (png_ptr->save_buffer_size)
         png_error(png_ptr, "save_buffer error");
      png_free(png_ptr, old_buffer);
      png_ptr->save_buffer_max = new_max;
   }