mewin/libpng
1
0
Fork 0
mirror of https://git.code.sf.net/p/libpng/code.git synced 2025-07-10 18:04:09 +02:00
Code Issues Projects Releases Wiki Activity

[libpng16] Revised png_set_text_2() to avoid possible memory corruption

Browse Source 
when writing.
This commit is contained in:
Glenn Randers-Pehrson 2012-03-16 23:19:02 -05:00
parent 42ed02ed9a
commit c26d6e9aac
3 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ANNOUNCE
View File

@ -319,6 +319,7 @@ Version 1.6.0beta18 [March 16, 2012]
this is disabled in which case the simplified API can't be built.) this is disabled in which case the simplified API can't be built.)
Version 1.6.0beta19 [March 17, 2012] Version 1.6.0beta19 [March 17, 2012]
Revised png_set_text_2() to avoid potential memory corruption.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

1
CHANGES
View File

@ -4070,6 +4070,7 @@ Version 1.6.0beta18 [March 16, 2012]
this is disabled in which case the simplified API can't be built.) this is disabled in which case the simplified API can't be built.)
Version 1.6.0beta19 [March 17, 2012] Version 1.6.0beta19 [March 17, 2012]
Revised png_set_text_2() to avoid potential memory corruption.
Send comments/corrections/commendations to png-mng-implement at lists.sf.net Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit (subscription required; visit

17
pngset.c
View File

@ -706,24 +706,28 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
*/ */
if (info_ptr->num_text + num_text > info_ptr->max_text) if (info_ptr->num_text + num_text > info_ptr->max_text)
{ {
int old_max_text = info_ptr->max_text;
int old_num_text = info_ptr->num_text;
if (info_ptr->text != NULL) if (info_ptr->text != NULL)
{ {
png_textp old_text; png_textp old_text;
int old_max;
old_max = info_ptr->max_text;
info_ptr->max_text = info_ptr->num_text + num_text + 8; info_ptr->max_text = info_ptr->num_text + num_text + 8;
old_text = info_ptr->text; old_text = info_ptr->text;
info_ptr->text = (png_textp)png_malloc_warn(png_ptr, info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
(png_size_t)(info_ptr->max_text * png_sizeof(png_text))); (png_size_t)(info_ptr->max_text * png_sizeof(png_text)));
if (info_ptr->text == NULL) if (info_ptr->text == NULL)
{ {
png_free(png_ptr, old_text); /* Restore to previous condition */
info_ptr->max_text = old_max_text;
info_ptr->text = old_text;
return(1); return(1);
} }
png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max * png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max_text *
png_sizeof(png_text))); png_sizeof(png_text)));
png_free(png_ptr, old_text); png_free(png_ptr, old_text);
} }
@ -735,7 +739,12 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
info_ptr->text = (png_textp)png_malloc_warn(png_ptr, info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
(png_size_t)(info_ptr->max_text * png_sizeof(png_text))); (png_size_t)(info_ptr->max_text * png_sizeof(png_text)));
if (info_ptr->text == NULL) if (info_ptr->text == NULL)
{
/* Restore to previous condition */
info_ptr->num_text = old_num_text;
info_ptr->max_text = old_max_text;
return(1); return(1);
}
info_ptr->free_me |= PNG_FREE_TEXT; info_ptr->free_me |= PNG_FREE_TEXT;
} }