Revise png_set_text_2() to avoid potential memory corruption (fixes CVE-2011-3048)
Bug: 6343606
Change-Id: I654fa367c4c3122bba1f99a495e680b75b2db978
diff --git a/pngset.c b/pngset.c
index 717757f..c9ab8f6 100644
--- a/pngset.c
+++ b/pngset.c
@@ -667,22 +667,26 @@
*/
if (info_ptr->num_text + num_text > info_ptr->max_text)
{
+ int old_max_text = info_ptr->max_text;
+ int old_num_text = info_ptr->num_text;
+
if (info_ptr->text != NULL)
{
png_textp old_text;
- int old_max;
- old_max = info_ptr->max_text;
info_ptr->max_text = info_ptr->num_text + num_text + 8;
old_text = info_ptr->text;
+
info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
(png_uint_32)(info_ptr->max_text * png_sizeof(png_text)));
if (info_ptr->text == NULL)
{
- png_free(png_ptr, old_text);
+ /* Restore to previous condition */
+ info_ptr->max_text = old_max_text;
+ info_ptr->text = old_text;
return(1);
}
- png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max *
+ png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max_text *
png_sizeof(png_text)));
png_free(png_ptr, old_text);
}
@@ -693,7 +697,12 @@
info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
(png_uint_32)(info_ptr->max_text * png_sizeof(png_text)));
if (info_ptr->text == NULL)
+ {
+ /* Restore to previous condition */
+ info_ptr->num_text = old_num_text;
+ info_ptr->max_text = old_max_text;
return(1);
+ }
#ifdef PNG_FREE_ME_SUPPORTED
info_ptr->free_me |= PNG_FREE_TEXT;
#endif
@@ -701,6 +710,7 @@
png_debug1(3, "allocated %d entries for info_ptr->text",
info_ptr->max_text);
}
+
for (i = 0; i < num_text; i++)
{
png_size_t text_length, key_len;