From c6a8cb7d10895b5046a77977dab2766c30fac8b8 Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Wed, 29 Oct 2014 08:27:34 -0500
Subject: [PATCH] [libpng16] Added missing "ptr = NULL" after some instances of
 png_free().

---
 ANNOUNCE   |  5 +++--
 png.c      |  4 ++--
 pngpread.c |  4 +++-
 pngread.c  | 16 +++++++++++++++-
 pngrutil.c |  1 +
 pngwrite.c |  9 +++++++++
 6 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/ANNOUNCE b/ANNOUNCE
index 356d9bb5d..d26da34de 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,4 +1,4 @@
-Libpng 1.6.15beta01 - October 27, 2014
+Libpng 1.6.15beta01 - October 29, 2014
 
 This is not intended to be a public release.  It will be replaced
 within a few weeks by a public version or by another test version.
@@ -25,9 +25,10 @@ Other information:
 
 Changes since the last public release (1.6.14):
 
-Version 1.6.15beta01 [October 27, 2014]
+Version 1.6.15beta01 [October 29, 2014]
   Changed "if (!x)" to "if (x == 0)" and "if (x)" to "if (x !== 0)"
   Simplified png_free_data().
+  Added missing "ptr = NULL" after some instances of png_free().
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/png.c b/png.c
index 79aba0268..7c92b3225 100644
--- a/png.c
+++ b/png.c
@@ -768,13 +768,13 @@ png_get_copyright(png_const_structrp png_ptr)
 #else
 #  ifdef __STDC__
    return PNG_STRING_NEWLINE \
-     "libpng version 1.6.15beta01 - October 27, 2014" PNG_STRING_NEWLINE \
+     "libpng version 1.6.15beta01 - October 29, 2014" PNG_STRING_NEWLINE \
      "Copyright (c) 1998-2014 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \
      "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \
      "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \
      PNG_STRING_NEWLINE;
 #  else
-      return "libpng version 1.6.15beta01 - October 27, 2014\
+      return "libpng version 1.6.15beta01 - October 29, 2014\
       Copyright (c) 1998-2014 Glenn Randers-Pehrson\
       Copyright (c) 1996-1997 Andreas Dilger\
       Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.";
diff --git a/pngpread.c b/pngpread.c
index bcd9261df..d2d9fd72c 100644
--- a/pngpread.c
+++ b/pngpread.c
@@ -1,7 +1,7 @@
 
 /* pngpread.c - read a png file in push mode
  *
- * Last changed in libpng 1.6.14 [October 23, 2014]
+ * Last changed in libpng 1.6.15 [(PENDING RELEASE)]
  * Copyright (c) 1998-2014 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -584,11 +584,13 @@ png_push_save_buffer(png_structrp png_ptr)
       if (png_ptr->save_buffer == NULL)
       {
          png_free(png_ptr, old_buffer);
+         old_buffer = NULL;
          png_error(png_ptr, "Insufficient memory for save_buffer");
       }
 
       memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
       png_free(png_ptr, old_buffer);
+      old_buffer = NULL;
       png_ptr->save_buffer_max = new_max;
    }
    if (png_ptr->current_buffer_size)
diff --git a/pngread.c b/pngread.c
index 53b9c3b9b..803515bb9 100644
--- a/pngread.c
+++ b/pngread.c
@@ -1,7 +1,7 @@
 
 /* pngread.c - read a PNG file
  *
- * Last changed in libpng 1.6.11 [June 5, 2014]
+ * Last changed in libpng 1.6.15 [(PENDING RELEASE)]
  * Copyright (c) 1998-2014 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
@@ -922,22 +922,33 @@ png_read_destroy(png_structrp png_ptr)
 #endif
 
    png_free(png_ptr, png_ptr->big_row_buf);
+   png_ptr->big_row_buf = NULL;
    png_free(png_ptr, png_ptr->big_prev_row);
+   png_ptr->big_prev_row = NULL;
    png_free(png_ptr, png_ptr->read_buffer);
+   png_ptr->read_buffer = NULL;
 
 #ifdef PNG_READ_QUANTIZE_SUPPORTED
    png_free(png_ptr, png_ptr->palette_lookup);
+   png_ptr->palette_lookup = NULL;
    png_free(png_ptr, png_ptr->quantize_index);
+   png_ptr->quantize_index = NULL;
 #endif
 
    if (png_ptr->free_me & PNG_FREE_PLTE)
+   {
       png_zfree(png_ptr, png_ptr->palette);
+      png_ptr->palette = NULL;
+   }
    png_ptr->free_me &= ~PNG_FREE_PLTE;
 
 #if defined(PNG_tRNS_SUPPORTED) || \
     defined(PNG_READ_EXPAND_SUPPORTED) || defined(PNG_READ_BACKGROUND_SUPPORTED)
    if (png_ptr->free_me & PNG_FREE_TRNS)
+   {
       png_free(png_ptr, png_ptr->trans_alpha);
+      png_ptr->trans_alpha = NULL;
+   }
    png_ptr->free_me &= ~PNG_FREE_TRNS;
 #endif
 
@@ -945,15 +956,18 @@ png_read_destroy(png_structrp png_ptr)
 
 #ifdef PNG_PROGRESSIVE_READ_SUPPORTED
    png_free(png_ptr, png_ptr->save_buffer);
+   png_ptr->save_buffer = NULL;
 #endif
 
 #if defined(PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED) && \
    defined(PNG_READ_UNKNOWN_CHUNKS_SUPPORTED)
    png_free(png_ptr, png_ptr->unknown_chunk.data);
+   png_ptr->unknown_chunk.data = NULL;
 #endif
 
 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
    png_free(png_ptr, png_ptr->chunk_list);
+   png_ptr->chunk_list = NULL;
 #endif
 
    /* NOTE: the 'setjmp' buffer may still be allocated and the memory and error
diff --git a/pngrutil.c b/pngrutil.c
index bfc855941..0e8413240 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -670,6 +670,7 @@ png_decompress_chunk(png_structrp png_ptr,
                    * success)
                    */
                   png_free(png_ptr, text);
+                  text = NULL;
 
                   /* This really is very benign, but it's still an error because
                    * the extra space may otherwise be used as a Trojan Horse.
diff --git a/pngwrite.c b/pngwrite.c
index 6aae6c326..890ce99a6 100644
--- a/pngwrite.c
+++ b/pngwrite.c
@@ -933,12 +933,18 @@ png_write_destroy(png_structrp png_ptr)
    /* Free our memory.  png_free checks NULL for us. */
    png_free_buffer_list(png_ptr, &png_ptr->zbuffer_list);
    png_free(png_ptr, png_ptr->row_buf);
+   png_ptr->row_buf = NULL;
 #ifdef PNG_WRITE_FILTER_SUPPORTED
    png_free(png_ptr, png_ptr->prev_row);
    png_free(png_ptr, png_ptr->sub_row);
    png_free(png_ptr, png_ptr->up_row);
    png_free(png_ptr, png_ptr->avg_row);
    png_free(png_ptr, png_ptr->paeth_row);
+   png_ptr->prev_row = NULL;
+   png_ptr->sub_row = NULL;
+   png_ptr->up_row = NULL;
+   png_ptr->avg_row = NULL;
+   png_ptr->paeth_row = NULL;
 #endif
 
 #ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED
@@ -946,10 +952,13 @@ png_write_destroy(png_structrp png_ptr)
    png_reset_filter_heuristics(png_ptr);
    png_free(png_ptr, png_ptr->filter_costs);
    png_free(png_ptr, png_ptr->inv_filter_costs);
+   png_ptr->filter_costs = NULL;
+   png_ptr->inv_filter_costs = NULL;
 #endif
 
 #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
    png_free(png_ptr, png_ptr->chunk_list);
+   png_ptr->chunk_list = NULL;
 #endif
 
    /* The error handling and memory handling information is left intact at this