--- pngpread.c
+++ pngpread.c
@@ -1501,8 +1501,13 @@
#endif
png_strcpy((png_charp)chunk.name, (png_charp)png_ptr->chunk_name);
- chunk.data = (png_bytep)png_malloc(png_ptr, length);
- png_crc_read(png_ptr, chunk.data, length);
+ if (length == 0)
+ chunk.data = NULL;
+ else
+ {
+ chunk.data = (png_bytep)png_malloc(png_ptr, length);
+ png_crc_read(png_ptr, chunk.data, length);
+ }
chunk.size = length;
#if defined(PNG_READ_USER_CHUNKS_SUPPORTED)
if(png_ptr->read_user_chunk_fn != NULL)
@@ -1520,7 +1525,7 @@
else
#endif
png_set_unknown_chunks(png_ptr, info_ptr, &chunk, 1);
- png_free(png_ptr, chunk.data);
+ if (chunk.data) png_free(png_ptr, chunk.data);
}
else
#endif
--- pngrutil.c
+++ pngrutil.c
@@ -2193,10 +2193,16 @@
length = (png_uint_32)65535L;
}
#endif
- png_strcpy((png_charp)chunk.name, (png_charp)png_ptr->chunk_name);
- chunk.data = (png_bytep)png_malloc(png_ptr, length);
+ png_memcpy((png_charp)chunk.name, (png_charp)png_ptr->chunk_name, png_sizeof(chunk.name));
+ chunk.name[png_sizeof(chunk.name)-1] = '\0';
chunk.size = (png_size_t)length;
- png_crc_read(png_ptr, (png_bytep)chunk.data, length);
+ if (length == 0)
+ chunk.data = NULL;
+ else
+ {
+ chunk.data = (png_bytep)png_malloc(png_ptr, length);
+ png_crc_read(png_ptr, (png_bytep)chunk.data, length);
+ }
#if defined(PNG_READ_USER_CHUNKS_SUPPORTED)
if(png_ptr->read_user_chunk_fn != NULL)
{
@@ -2207,7 +2213,7 @@
if(png_handle_as_unknown(png_ptr, png_ptr->chunk_name) !=
PNG_HANDLE_CHUNK_ALWAYS)
{
- png_free(png_ptr, chunk.data);
+ if(chunk.data) png_free(png_ptr, chunk.data);
png_chunk_error(png_ptr, "unknown critical chunk");
}
png_set_unknown_chunks(png_ptr, info_ptr, &chunk, 1);
@@ -2216,7 +2222,7 @@
else
#endif
png_set_unknown_chunks(png_ptr, info_ptr, &chunk, 1);
- png_free(png_ptr, chunk.data);
+ if(chunk.data) png_free(png_ptr, chunk.data);
}
else
#endif
--- pngset.c
+++ pngset.c
@@ -1023,19 +1023,26 @@
png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i;
png_unknown_chunkp from = unknowns + i;
- png_strncpy((png_charp)to->name, (png_charp)from->name, 5);
- to->data = (png_bytep)png_malloc_warn(png_ptr, from->size);
- if (to->data == NULL)
- {
- png_warning(png_ptr, "Out of memory processing unknown chunk.");
- }
+ png_memcpy((png_charp)to->name,
+ (png_charp)from->name,
+ png_sizeof(to->name));
+ to->name[png_sizeof(to->name)-1] = '\0';
+ to->size = from->size;
+ /* note our location in the read or write sequence */
+ to->location = (png_byte)(png_ptr->mode & 0xff);
+ if (from->size == 0)
+ to->data=NULL;
else
{
- png_memcpy(to->data, from->data, from->size);
- to->size = from->size;
-
- /* note our location in the read or write sequence */
- to->location = (png_byte)(png_ptr->mode & 0xff);
+ to->data = (png_bytep)png_malloc_warn(png_ptr, from->size);
+ if (to->data == NULL)
+ {
+ png_warning(png_ptr,
+ "Out of memory processing unknown chunk.");
+ to->size=0;
+ }
+ else
+ png_memcpy(to->data, from->data, from->size);
}
}
--- pngwrite.c
+++ pngwrite.c
@@ -112,6 +112,8 @@
((up->name[3] & 0x20) || keep == PNG_HANDLE_CHUNK_ALWAYS ||
(png_ptr->flags & PNG_FLAG_KEEP_UNSAFE_CHUNKS)))
{
+ if (up->size == 0)
+ png_warning(png_ptr, "Writing zero-length unknown chunk");
png_write_chunk(png_ptr, up->name, up->data, up->size);
}
}
distrib
>
Mandriva
>
2007.1
>
i586
>
media
>
main-updates-src
>
by-pkgid
>
8a05a15a2b2381e6d062a1c51755b511
>
files
>
4
