[libpng16] Fixed undefined behavior in png_push_save_buffer(). Do not call
memcpy() with a null source, even if count is zero (Leon Scroggins III).
diff --git a/ANNOUNCE b/ANNOUNCE
index 4a34633..9de5bd5 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -41,6 +41,10 @@
Moved sse2 prototype from pngpriv.h to contrib/intel/intel_sse.patch.
Added missing ")" in pngerror.c (Matt Sarrett).
+Version 1.6.23rc02 [June 3, 2016]
+ Fixed undefined behavior in png_push_save_buffer(). Do not call
+ memcpy() with a null source, even if count is zero (Leon Scroggins III).
+
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/CHANGES b/CHANGES
index e5da9cc..a8f83af 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5589,6 +5589,10 @@
Moved sse2 prototype from pngpriv.h to contrib/intel/intel_sse.patch.
Added missing ")" in pngerror.c (Matt Sarrett).
+Version 1.6.23rc02 [June 3, 2016]
+ Fixed undefined behavior in png_push_save_buffer(). Do not call
+ memcpy() with a null source, even if count is zero (Leon Scroggins III).
+
Send comments/corrections/commendations to png-mng-implement at lists.sf.net
(subscription required; visit
https://lists.sourceforge.net/lists/listinfo/png-mng-implement
diff --git a/pngpread.c b/pngpread.c
index 2e02088..5571533 100644
--- a/pngpread.c
+++ b/pngpread.c
@@ -501,7 +501,10 @@
png_error(png_ptr, "Insufficient memory for save_buffer");
}
- memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
+ if (old_buffer)
+ memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
+ else if (png_ptr->save_buffer_size)
+ png_error(png_ptr, "save_buffer error");
png_free(png_ptr, old_buffer);
png_ptr->save_buffer_max = new_max;
}