[libpng15] Fixed a relatively harmless memory overwrite in compressed text writing

commit: 5c1905caae522906dacc5e19ecd7787e60b43507 [log] [tgz]
author: John Bowler <jbowler@acm.org> Fri Oct 14 12:33:52 2011 -0500
committer: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> Fri Oct 14 12:33:52 2011 -0500
tree: 317325145349c2f9617dd121abc46da6af0dfde8
parent: d58251b47e0e659166b052140f5559c1b64f9c48 [diff] [blame]
diff --git a/pngwutil.c b/pngwutil.c
index 2554d51..e4087c4 100644
--- a/pngwutil.c
+++ b/pngwutil.c

@@ -582,7 +582,10 @@
    }
 
 #ifdef PNG_WRITE_OPTIMIZE_CMF_SUPPORTED
-   if (comp->input_len >= 2 && comp->input_len < 16384)
+   /* The zbuf_size test is because the code below doesn't work if zbuf_size is
+    * '1'; simply skip it to avoid memory overwrite.
+    */
+   if (comp->input_len >= 2 && comp->input_len < 16384 && png_ptr->zbuf_size > 1)
    {
       unsigned int z_cmf;  /* zlib compression method and flags */
commit	5c1905caae522906dacc5e19ecd7787e60b43507	[log] [tgz]
author	John Bowler <jbowler@acm.org>	Fri Oct 14 12:33:52 2011 -0500
committer	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	Fri Oct 14 12:33:52 2011 -0500
tree	317325145349c2f9617dd121abc46da6af0dfde8
parent	d58251b47e0e659166b052140f5559c1b64f9c48 [diff] [blame]