aboutsummaryrefslogtreecommitdiffhomepage
path: root/third_party
diff options
context:
space:
mode:
authorGravatar scroggo <scroggo@chromium.org>2016-06-03 09:36:53 -0700
committerGravatar Commit bot <commit-bot@chromium.org>2016-06-03 09:36:53 -0700
commit1915b0bab2b48cf8bf85dc49e76994b033f25450 (patch)
tree6954f5695e694dc3022f0cf3f716a4c5ad7c0604 /third_party
parent7b9eabb392902e6e8f4206ba8aa041524258fd0f (diff)
Fix undefined behavior in libpng
Check for a null source before calling memcpy. BUG=skia:5390 GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2040433002 Review-Url: https://codereview.chromium.org/2040433002
Diffstat (limited to 'third_party')
-rw-r--r--third_party/libpng/README.google1
-rw-r--r--third_party/libpng/pngpread.c11
2 files changed, 12 insertions, 0 deletions
diff --git a/third_party/libpng/README.google b/third_party/libpng/README.google
index 20f5d46992..1acc408cb1 100644
--- a/third_party/libpng/README.google
+++ b/third_party/libpng/README.google
@@ -9,3 +9,4 @@ Local Modifications:
(2) Included Intel optimizations by running:
"patch -i contrib/intel/intel_sse.patch -p1"
(3) Removed files unused by Skia
+ (4) Fixed an undefined behavior bug (skbug.com/5390)
diff --git a/third_party/libpng/pngpread.c b/third_party/libpng/pngpread.c
index 0dc1e53c22..0266cbe43a 100644
--- a/third_party/libpng/pngpread.c
+++ b/third_party/libpng/pngpread.c
@@ -499,7 +499,18 @@ png_push_save_buffer(png_structrp png_ptr)
png_error(png_ptr, "Insufficient memory for save_buffer");
}
+#if 0
+ // This is the code checked into libpng. Calling memcpy with a null
+ // source is undefined, even if count is 0, but libpng does not
+ // currently check for null or 0. The Skia fix is below.
+ // skbug.com/5390
memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
+#else
+ if (old_buffer)
+ memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
+ else if (png_ptr->save_buffer_size)
+ png_error(png_ptr, "save_buffer error");
+#endif
png_free(png_ptr, old_buffer);
png_ptr->save_buffer_max = new_max;
}