Google Git
Sign in
flutter / third_party / libpng / c26d6e9aac5681aa00024d223cc0033f6dbb3a2d^! / .
commitc26d6e9aac5681aa00024d223cc0033f6dbb3a2d[log] [tgz]
authorGlenn Randers-Pehrson <glennrp at users.sourceforge.net>Fri Mar 16 23:19:02 2012 -0500
committerGlenn Randers-Pehrson <glennrp at users.sourceforge.net>Fri Mar 16 23:19:02 2012 -0500
treee6302fb8251bdf7283f59f84e66daa2ff797603a
parent42ed02ed9aa84f5f422178363e510c4aced7b837 [diff]
[libpng16] Revised png_set_text_2() to avoid possible memory corruption

when writing.

diff --git a/ANNOUNCE b/ANNOUNCE
index 40d92e3..8466ba4 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE

@@ -319,6 +319,7 @@
     this is disabled in which case the simplified API can't be built.)
 
 Version 1.6.0beta19 [March 17, 2012]
+  Revised png_set_text_2() to avoid potential memory corruption.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

diff --git a/CHANGES b/CHANGES
index cf990b8..ccd9051 100644
--- a/CHANGES
+++ b/CHANGES

@@ -4070,6 +4070,7 @@
     this is disabled in which case the simplified API can't be built.)
 
 Version 1.6.0beta19 [March 17, 2012]
+  Revised png_set_text_2() to avoid potential memory corruption.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

diff --git a/pngset.c b/pngset.c
index bde866f..6b74d94 100644
--- a/pngset.c
+++ b/pngset.c

@@ -706,24 +706,28 @@
     */
    if (info_ptr->num_text + num_text > info_ptr->max_text)
    {
+      int old_max_text = info_ptr->max_text;
+      int old_num_text = info_ptr->num_text;
+
       if (info_ptr->text != NULL)
       {
          png_textp old_text;
-         int old_max;
 
-         old_max = info_ptr->max_text;
          info_ptr->max_text = info_ptr->num_text + num_text + 8;
          old_text = info_ptr->text;
+
          info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
             (png_size_t)(info_ptr->max_text * png_sizeof(png_text)));
 
          if (info_ptr->text == NULL)
          {
-            png_free(png_ptr, old_text);
+            /* Restore to previous condition */
+            info_ptr->max_text = old_max_text;
+            info_ptr->text = old_text;
             return(1);
          }
 
-         png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max *
+         png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max_text *
              png_sizeof(png_text)));
          png_free(png_ptr, old_text);
       }
@@ -735,7 +739,12 @@
          info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
              (png_size_t)(info_ptr->max_text * png_sizeof(png_text)));
          if (info_ptr->text == NULL)
+         {
+            /* Restore to previous condition */
+            info_ptr->num_text = old_num_text;
+            info_ptr->max_text = old_max_text;
             return(1);
+         }
          info_ptr->free_me |= PNG_FREE_TEXT;
       }