[libpng16] Revised png_set_text_2() to avoid possible memory corruption

when writing.
2012-03-16 23:19:02 -05:00 · 2012-03-16 23:19:02 -05:00 · c26d6e9aac
commit c26d6e9aac
parent 42ed02ed9a
3 changed files with 15 additions and 4 deletions
--- a/1
+++ b/1
@ -319,6 +319,7 @@ Version 1.6.0beta18 [March 16, 2012]
    this is disabled in which case the simplified API can't be built.)

 Version 1.6.0beta19 [March 17, 2012]
+  Revised png_set_text_2() to avoid potential memory corruption.

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/1
+++ b/1
@ -4070,6 +4070,7 @@ Version 1.6.0beta18 [March 16, 2012]
    this is disabled in which case the simplified API can't be built.)

 Version 1.6.0beta19 [March 17, 2012]
+  Revised png_set_text_2() to avoid potential memory corruption.

 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
--- a/pngset.c
+++ b/pngset.c
@ -706,24 +706,28 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
    */
   if (info_ptr->num_text + num_text > info_ptr->max_text)
   {
+      int old_max_text = info_ptr->max_text;
+      int old_num_text = info_ptr->num_text;
+
      if (info_ptr->text != NULL)
      {
         png_textp old_text;
-         int old_max;

-         old_max = info_ptr->max_text;
         info_ptr->max_text = info_ptr->num_text + num_text + 8;
         old_text = info_ptr->text;
+
         info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
            (png_size_t)(info_ptr->max_text * png_sizeof(png_text)));

         if (info_ptr->text == NULL)
         {
-            png_free(png_ptr, old_text);
+            /* Restore to previous condition */
+            info_ptr->max_text = old_max_text;
+            info_ptr->text = old_text;
            return(1);
         }

-         png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max *
+         png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max_text *
             png_sizeof(png_text)));
         png_free(png_ptr, old_text);
      }
@ -735,7 +739,12 @@ png_set_text_2(png_const_structrp png_ptr, png_inforp info_ptr,
         info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
             (png_size_t)(info_ptr->max_text * png_sizeof(png_text)));
         if (info_ptr->text == NULL)
+         {
+            /* Restore to previous condition */
+            info_ptr->num_text = old_num_text;
+            info_ptr->max_text = old_max_text;
            return(1);
+         }
         info_ptr->free_me |= PNG_FREE_TEXT;
      }