[libpng14] Fixed undefined behavior in png_push_save_buffer(). Do not call

memcpy() with a null source, even if count is zero (Leon Scroggins III).

ANNOUNCE

@@ -1,5 +1,5 @@
 
-Libpng 1.4.20beta01 - March 1, 2016
+Libpng 1.4.20beta01 - June 4, 2016
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -26,8 +26,10 @@ Other information:
 
 Changes since the last public release (1.4.19):
 
-version 1.4.20beta01 [March 1, 2016]
+version 1.4.20beta01 [June 4, 2016]
   Fix typos in libpng.3 synopses (Eric S. Raymond).
+  Fixed undefined behavior in png_push_save_buffer(). Do not call
+    memcpy() with a null source, even if count is zero (Leon Scroggins III).
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit

CHANGES

@@ -2916,7 +2916,8 @@ version 1.4.13 [February 6, 2014]
   No changes.
 
 version 1.4.14beta01 [November 6, 2014]
-  Avoid out-of-bounds memory access in png_user_version_check().
+  Fixed an out-of-range read in png_version_check() (Bug report from
+    Qixue Xiao, CVE-2015-8540).
   Simplified and future-proofed png_user_version_check().
 
 version 1.4.14rc01 [November 13, 2014]
@@ -3030,11 +3031,13 @@ version 1.4.19rc01 [December 14, 2015]
   Corrected copyright dates in source files.
   Moved png_check_keyword() from pngwutil.c to pngset.c
 
-version 1.4.19 [March 1, 2016]
+version 1.4.19 [December 17, 2015]
   No changes.
 
-version 1.4.20beta01 [March 1, 2016]
+version 1.4.20beta01 [June 4, 2016]
   Fix typos in libpng.3 synopses (Eric S. Raymond).
+  Fixed undefined behavior in png_push_save_buffer(). Do not call
+    memcpy() with a null source, even if count is zero (Leon Scroggins III).
 
 Send comments/corrections/commendations to glennrp at users.sourceforge.net
 or to png-mng-implement at lists.sf.net (subscription required; visit

pngpread.c

@@ -1,8 +1,8 @@
 
 /* pngpread.c - read a png file in push mode
  *
- * Last changed in libpng 1.4.10 [March 8, 2012]
+ * Last changed in libpng 1.4.20 [(TO BE RELEASED)]
- * Copyright (c) 1998-2002,2004,2006-2012 Glenn Randers-Pehrson
+ * Copyright (c) 1998-2002,2004,2006-2012,2016 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -683,7 +683,11 @@ png_push_save_buffer(png_structp png_ptr)
         png_free(png_ptr, old_buffer);
         png_error(png_ptr, "Insufficient memory for save_buffer");
       }
-      png_memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
+      if (old_buffer)
+        png_memcpy(png_ptr->save_buffer, old_buffer,
+           png_ptr->save_buffer_size);
+      else if (png_ptr->save_buffer_size)
+        png_error(png_ptr, "save_buffer error");
       png_free(png_ptr, old_buffer);
       png_ptr->save_buffer_max = new_max;
    }