[libpng15] Fixed bug in pngvalid on early allocation failure; fixed type cast

in pngmem.c; pngvalid would attempt to call png_error() if the allocation
of a png_struct or png_info failed. This would probably have led to a
crash.  The pngmem.c implementation of png_malloc() included a cast
to png_size_t which would fail on large allocations on 16-bit systems.

ANNOUNCE

@@ -28,6 +28,11 @@ Changes since the last public release (1.5.6):
 
 Version 1.5.7 [November 3, 2011]
   Added support for ARM processor (Mans Rullgard)
+  Fixed bug in pngvalid on early allocation failure; fixed type cast in
+    pngmem.c; pngvalid would attempt to call png_error() if the allocation
+    of a png_struct or png_info failed. This would probably have led to a
+    crash.  The pngmem.c implementation of png_malloc() included a cast
+    to png_size_t which would fail on large allocations on 16-bit systems.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net:
 (subscription required; visit

CHANGES

@@ -3671,6 +3671,11 @@ Version 1.5.6 [November 3, 2011]
 
 Version 1.5.7 [November 3, 2011]
   Added support for ARM processor (Mans Rullgard)
+  Fixed bug in pngvalid on early allocation failure; fixed type cast in
+    pngmem.c; pngvalid would attempt to call png_error() if the allocation
+    of a png_struct or png_info failed. This would probably have led to a
+    crash.  The pngmem.c implementation of png_malloc() included a cast
+    to png_size_t which would fail on large allocations on 16-bit systems.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

pngmem.c

@@ -1,7 +1,7 @@
 
 /* pngmem.c - stub functions for memory allocation
  *
- * Last changed in libpng 1.5.4 [July 7, 2011]
+ * Last changed in libpng 1.5.7 [(PENDING RELEASE)]
  * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -56,9 +56,9 @@ png_create_struct_2,(int type, png_malloc_ptr malloc_fn, png_voidp mem_ptr),
    if (malloc_fn != NULL)
    {
       png_struct dummy_struct;
-      png_structp png_ptr = &dummy_struct;
+      memset(&dummy_struct, 0, sizeof dummy_struct);
-      png_ptr->mem_ptr=mem_ptr;
+      dummy_struct.mem_ptr=mem_ptr;
-      struct_ptr = (*(malloc_fn))(png_ptr, (png_uint_32)size);
+      struct_ptr = (*(malloc_fn))(&dummy_struct, (png_alloc_size_t)size);
    }
 
    else
@@ -90,9 +90,9 @@ png_destroy_struct_2(png_voidp struct_ptr, png_free_ptr free_fn,
       if (free_fn != NULL)
       {
          png_struct dummy_struct;
-         png_structp png_ptr = &dummy_struct;
+         memset(&dummy_struct, 0, sizeof dummy_struct);
-         png_ptr->mem_ptr=mem_ptr;
+         dummy_struct.mem_ptr=mem_ptr;
-         (*(free_fn))(png_ptr, struct_ptr);
+         (*(free_fn))(&dummy_struct, struct_ptr);
          return;
       }
 
@@ -143,7 +143,7 @@ png_malloc,(png_structp png_ptr, png_alloc_size_t size),PNG_ALLOCATED)
 
 #  ifdef PNG_USER_MEM_SUPPORTED
    if (png_ptr->malloc_fn != NULL)
-      ret = ((png_voidp)(*(png_ptr->malloc_fn))(png_ptr, (png_size_t)size));
+      ret = ((png_voidp)(*(png_ptr->malloc_fn))(png_ptr, size));
 
    else
       ret = (png_malloc_default(png_ptr, size));

pngpriv.h

@@ -6,7 +6,7 @@
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
- * Last changed in libpng 1.5.6 [(PENDING RELEASE)]
+ * Last changed in libpng 1.5.7 [(PENDING RELEASE)]
  *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer

pngrutil.c

@@ -1,7 +1,7 @@
 
 /* pngrutil.c - utilities to read a PNG file
  *
- * Last changed in libpng 1.5.6 [(PENDING RELEASE)]
+ * Last changed in libpng 1.5.7 [(PENDING RELEASE)]
  * Copyright (c) 1998-2011 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)

pngvalid.c

@@ -1,7 +1,7 @@
 
 /* pngvalid.c - validate libpng by constructing then reading png files.
  *
- * Last changed in libpng 1.5.6 [(PENDING RELEASE)]
+ * Last changed in libpng 1.5.7 [(PENDING RELEASE)]
  * Copyright (c) 2011 Glenn Randers-Pehrson
  * Written by John Cunningham Bowler
  *
@@ -1332,7 +1332,21 @@ store_malloc(png_structp pp, png_alloc_size_t cb)
    }
 
    else
-      store_pool_error(pool->store, pp, "out of memory");
+   {
+      /* NOTE: the PNG user malloc function cannot use the png_ptr it is passed
+       * other than to retrieve the allocation pointer!  libpng calls the
+       * store_malloc callback in two basic cases:
+       *
+       * 1) From png_malloc; png_malloc will do a png_error itself if NULL is
+       *    returned.
+       * 2) From png_struct or png_info structure creation; png_malloc is
+       *    to return so cleanup can be performed.
+       *
+       * To handle this store_malloc can log a message, but can't do anything
+       * else.
+       */
+      store_log(pool->store, pp, "out of memory", 1 /* is_error */);
+   }
 
    return new;
 }
@@ -1343,6 +1357,14 @@ store_free(png_structp pp, png_voidp memory)
    store_pool *pool = voidcast(store_pool*, png_get_mem_ptr(pp));
    store_memory *this = voidcast(store_memory*, memory), **test;
 
+   /* Because libpng calls store_free with a dummy png_struct when deleting
+    * png_struct or png_info via png_destroy_struct_2 it is necessary to check
+    * the passed in png_structp to ensure it is valid, and not pass it to
+    * png_error if it is not.
+    */
+   if (pp != pool->store->pread && pp != pool->store->pwrite)
+      pp = NULL;
+
    /* First check that this 'memory' really is valid memory - it must be in the
     * pool list.  If it is, use the shared memory_free function to free it.
     */