diff options
author | Eric Vannier <evannier@google.com> | 2011-07-20 17:03:29 -0700 |
---|---|---|
committer | Kenny Root <kroot@google.com> | 2011-07-21 10:35:54 -0700 |
commit | 66dce0da6a5db51ee0c2875517d3a6ca6cbbe53d (patch) | |
tree | 7a375165c96b754d82ba1b6c304084645a5197bf /pngerror.c | |
parent | 6acf3dd4a350c51fd2b72ec990b7da6d5657e52a (diff) | |
download | external_libpng-66dce0da6a5db51ee0c2875517d3a6ca6cbbe53d.zip external_libpng-66dce0da6a5db51ee0c2875517d3a6ca6cbbe53d.tar.gz external_libpng-66dce0da6a5db51ee0c2875517d3a6ca6cbbe53d.tar.bz2 |
Upgrading libpng to 1.2.46 to fix a few vulnerabilities.
Bug: 5057432
Bug: 5055636
Change-Id: I9e1b51881386aa9f574a38abc844e036baef9091
Diffstat (limited to 'pngerror.c')
-rw-r--r-- | pngerror.c | 22 |
1 files changed, 16 insertions, 6 deletions
@@ -1,8 +1,8 @@ /* pngerror.c - stub functions for i/o and memory allocation * - * Last changed in libpng 1.2.41 [December 3, 2009] - * Copyright (c) 1998-2009 Glenn Randers-Pehrson + * Last changed in libpng 1.2.45 [July 7, 2011] + * Copyright (c) 1998-2011 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -87,12 +87,17 @@ png_error(png_structp png_ptr, png_const_charp error_message) void PNGAPI png_err(png_structp png_ptr) { + /* Prior to 1.2.45 the error_fn received a NULL pointer, expressed + * erroneously as '\0', instead of the empty string "". This was + * apparently an error, introduced in libpng-1.2.20, and png_default_error + * will crash in this case. + */ if (png_ptr != NULL && png_ptr->error_fn != NULL) - (*(png_ptr->error_fn))(png_ptr, '\0'); + (*(png_ptr->error_fn))(png_ptr, ""); /* If the custom handler doesn't exist, or if it returns, use the default handler, which will not return. */ - png_default_error(png_ptr, '\0'); + png_default_error(png_ptr, ""); } #endif /* PNG_ERROR_TEXT_SUPPORTED */ @@ -181,8 +186,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffer, png_const_charp { buffer[iout++] = ':'; buffer[iout++] = ' '; - png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT); - buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0'; + + iin = 0; + while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0') + buffer[iout++] = error_message[iin++]; + + /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */ + buffer[iout] = '\0'; } } |