Merge "Revise png_set_text_2() to avoid potential memory corruption (fixes CVE-2011-3048)"

author: Geremy Condra <gcondra@google.com> 2012-04-23 10:31:12 -0700
committer: Android (Google) Code Review <android-gerrit@google.com> 2012-04-23 10:31:12 -0700
commit: 4c5554b04e73f89d4a9bab8cbcec1943d8c274be (patch)
tree: e3cbe97a1d980dc43437d23bfc8e6b68f0a98e33 /pngset.c
parent: 9dddf651ebc622db16467626ae0f5995d11e246f (diff)
parent: 5e12401790abb7416c1a27ff077e0a823e8cefd8 (diff)
download: external_libpng-4c5554b04e73f89d4a9bab8cbcec1943d8c274be.zip
external_libpng-4c5554b04e73f89d4a9bab8cbcec1943d8c274be.tar.gz
external_libpng-4c5554b04e73f89d4a9bab8cbcec1943d8c274be.tar.bz2
1 files changed, 14 insertions, 4 deletions
diff --git a/pngset.c b/pngset.c
index 717757f..c9ab8f6 100644
--- a/pngset.c
+++ b/pngset.c
@@ -667,22 +667,26 @@ png_set_text_2(png_structp png_ptr, png_infop info_ptr, png_textp text_ptr,
     */
    if (info_ptr->num_text + num_text > info_ptr->max_text)
    {
+      int old_max_text = info_ptr->max_text;
+      int old_num_text = info_ptr->num_text;
+
       if (info_ptr->text != NULL)
       {
          png_textp old_text;
-         int old_max;
 
-         old_max = info_ptr->max_text;
          info_ptr->max_text = info_ptr->num_text + num_text + 8;
          old_text = info_ptr->text;
+
          info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
             (png_uint_32)(info_ptr->max_text * png_sizeof(png_text)));
          if (info_ptr->text == NULL)
          {
-            png_free(png_ptr, old_text);
+            /* Restore to previous condition */
+            info_ptr->max_text = old_max_text;
+            info_ptr->text = old_text;
             return(1);
          }
-         png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max *
+         png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max_text *
             png_sizeof(png_text)));
          png_free(png_ptr, old_text);
       }
@@ -693,7 +697,12 @@ png_set_text_2(png_structp png_ptr, png_infop info_ptr, png_textp text_ptr,
          info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
             (png_uint_32)(info_ptr->max_text * png_sizeof(png_text)));
          if (info_ptr->text == NULL)
+         {
+            /* Restore to previous condition */
+            info_ptr->num_text = old_num_text;
+            info_ptr->max_text = old_max_text;
             return(1);
+         }
 #ifdef PNG_FREE_ME_SUPPORTED
          info_ptr->free_me |= PNG_FREE_TEXT;
 #endif
@@ -701,6 +710,7 @@ png_set_text_2(png_structp png_ptr, png_infop info_ptr, png_textp text_ptr,
       png_debug1(3, "allocated %d entries for info_ptr->text",
          info_ptr->max_text);
    }
+
    for (i = 0; i < num_text; i++)
    {
       png_size_t text_length, key_len;
author	Geremy Condra <gcondra@google.com>	2012-04-23 10:31:12 -0700
committer	Android (Google) Code Review <android-gerrit@google.com>	2012-04-23 10:31:12 -0700
commit	4c5554b04e73f89d4a9bab8cbcec1943d8c274be (patch)
tree	e3cbe97a1d980dc43437d23bfc8e6b68f0a98e33 /pngset.c
parent	9dddf651ebc622db16467626ae0f5995d11e246f (diff)
parent	5e12401790abb7416c1a27ff077e0a823e8cefd8 (diff)
download	external_libpng-4c5554b04e73f89d4a9bab8cbcec1943d8c274be.zip external_libpng-4c5554b04e73f89d4a9bab8cbcec1943d8c274be.tar.gz external_libpng-4c5554b04e73f89d4a9bab8cbcec1943d8c274be.tar.bz2