Upgrading libpng to 1.2.46 to fix a few vulnerabilities.
Bug: 5057432
Bug: 5055636
Change-Id: I9e1b51881386aa9f574a38abc844e036baef9091
diff --git a/pngerror.c b/pngerror.c
index 7bc98fb..025d52e 100644
--- a/pngerror.c
+++ b/pngerror.c
@@ -1,8 +1,8 @@
/* pngerror.c - stub functions for i/o and memory allocation
*
- * Last changed in libpng 1.2.41 [December 3, 2009]
- * Copyright (c) 1998-2009 Glenn Randers-Pehrson
+ * Last changed in libpng 1.2.45 [July 7, 2011]
+ * Copyright (c) 1998-2011 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
*
@@ -87,12 +87,17 @@
void PNGAPI
png_err(png_structp png_ptr)
{
+ /* Prior to 1.2.45 the error_fn received a NULL pointer, expressed
+ * erroneously as '\0', instead of the empty string "". This was
+ * apparently an error, introduced in libpng-1.2.20, and png_default_error
+ * will crash in this case.
+ */
if (png_ptr != NULL && png_ptr->error_fn != NULL)
- (*(png_ptr->error_fn))(png_ptr, '\0');
+ (*(png_ptr->error_fn))(png_ptr, "");
/* If the custom handler doesn't exist, or if it returns,
use the default handler, which will not return. */
- png_default_error(png_ptr, '\0');
+ png_default_error(png_ptr, "");
}
#endif /* PNG_ERROR_TEXT_SUPPORTED */
@@ -181,8 +186,13 @@
{
buffer[iout++] = ':';
buffer[iout++] = ' ';
- png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
- buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
+
+ iin = 0;
+ while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
+ buffer[iout++] = error_message[iin++];
+
+ /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
+ buffer[iout] = '\0';
}
}