1
Description: fix denial of service and possible code execution via
2
memory corruption issue.
3
Origin: Debian's 1.2.44-1+squeeze4 update
5
diff -Naur libpng-1.2.44/pngset.c libpng-1.2.44/pngset.c
6
--- libpng-1.2.44/pngset.c 2012-03-08 14:46:43.000000000 +0100
7
+++ libpng-1.2.44/pngset.c 2012-03-29 06:46:53.000000000 +0200
10
if (info_ptr->num_text + num_text > info_ptr->max_text)
12
+ int old_max_text = info_ptr->max_text;
13
+ int old_num_text = info_ptr->num_text;
15
if (info_ptr->text != NULL)
20
- old_max = info_ptr->max_text;
21
info_ptr->max_text = info_ptr->num_text + num_text + 8;
22
old_text = info_ptr->text;
24
info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
25
(png_uint_32)(info_ptr->max_text * png_sizeof(png_text)));
26
if (info_ptr->text == NULL)
28
- png_free(png_ptr, old_text);
29
+ /* Restore to previous condition */
30
+ info_ptr->max_text = old_max_text;
31
+ info_ptr->text = old_text;
34
- png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max *
35
+ png_memcpy(info_ptr->text, old_text, (png_size_t)(old_max_text *
36
png_sizeof(png_text)));
37
png_free(png_ptr, old_text);
40
info_ptr->text = (png_textp)png_malloc_warn(png_ptr,
41
(png_uint_32)(info_ptr->max_text * png_sizeof(png_text)));
42
if (info_ptr->text == NULL)
44
+ /* Restore to previous condition */
45
+ info_ptr->num_text = old_num_text;
46
+ info_ptr->max_text = old_max_text;
49
#ifdef PNG_FREE_ME_SUPPORTED
50
info_ptr->free_me |= PNG_FREE_TEXT;