From 1915b0bab2b48cf8bf85dc49e76994b033f25450 Mon Sep 17 00:00:00 2001 From: scroggo Date: Fri, 3 Jun 2016 09:36:53 -0700 Subject: [PATCH] Fix undefined behavior in libpng Check for a null source before calling memcpy. BUG=skia:5390 GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2040433002 Review-Url: https://codereview.chromium.org/2040433002 --- third_party/libpng/README.google | 1 + third_party/libpng/pngpread.c | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/third_party/libpng/README.google b/third_party/libpng/README.google index 20f5d46..1acc408 100644 --- a/third_party/libpng/README.google +++ b/third_party/libpng/README.google @@ -9,3 +9,4 @@ Local Modifications: (2) Included Intel optimizations by running: "patch -i contrib/intel/intel_sse.patch -p1" (3) Removed files unused by Skia + (4) Fixed an undefined behavior bug (skbug.com/5390) diff --git a/third_party/libpng/pngpread.c b/third_party/libpng/pngpread.c index 0dc1e53..0266cbe 100644 --- a/third_party/libpng/pngpread.c +++ b/third_party/libpng/pngpread.c @@ -499,7 +499,18 @@ png_push_save_buffer(png_structrp png_ptr) png_error(png_ptr, "Insufficient memory for save_buffer"); } +#if 0 + // This is the code checked into libpng. Calling memcpy with a null + // source is undefined, even if count is 0, but libpng does not + // currently check for null or 0. The Skia fix is below. + // skbug.com/5390 memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); +#else + if (old_buffer) + memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); + else if (png_ptr->save_buffer_size) + png_error(png_ptr, "save_buffer error"); +#endif png_free(png_ptr, old_buffer); png_ptr->save_buffer_max = new_max; } -- 2.7.4