--- pngpread.c +++ pngpread.c @@ -1501,8 +1501,13 @@ #endif png_strcpy((png_charp)chunk.name, (png_charp)png_ptr->chunk_name); - chunk.data = (png_bytep)png_malloc(png_ptr, length); - png_crc_read(png_ptr, chunk.data, length); + if (length == 0) + chunk.data = NULL; + else + { + chunk.data = (png_bytep)png_malloc(png_ptr, length); + png_crc_read(png_ptr, chunk.data, length); + } chunk.size = length; #if defined(PNG_READ_USER_CHUNKS_SUPPORTED) if(png_ptr->read_user_chunk_fn != NULL) @@ -1520,7 +1525,7 @@ else #endif png_set_unknown_chunks(png_ptr, info_ptr, &chunk, 1); - png_free(png_ptr, chunk.data); + if (chunk.data) png_free(png_ptr, chunk.data); } else #endif --- pngrutil.c +++ pngrutil.c @@ -2193,10 +2193,16 @@ length = (png_uint_32)65535L; } #endif - png_strcpy((png_charp)chunk.name, (png_charp)png_ptr->chunk_name); - chunk.data = (png_bytep)png_malloc(png_ptr, length); + png_memcpy((png_charp)chunk.name, (png_charp)png_ptr->chunk_name, png_sizeof(chunk.name)); + chunk.name[png_sizeof(chunk.name)-1] = '\0'; chunk.size = (png_size_t)length; - png_crc_read(png_ptr, (png_bytep)chunk.data, length); + if (length == 0) + chunk.data = NULL; + else + { + chunk.data = (png_bytep)png_malloc(png_ptr, length); + png_crc_read(png_ptr, (png_bytep)chunk.data, length); + } #if defined(PNG_READ_USER_CHUNKS_SUPPORTED) if(png_ptr->read_user_chunk_fn != NULL) { @@ -2207,7 +2213,7 @@ if(png_handle_as_unknown(png_ptr, png_ptr->chunk_name) != PNG_HANDLE_CHUNK_ALWAYS) { - png_free(png_ptr, chunk.data); + if(chunk.data) png_free(png_ptr, chunk.data); png_chunk_error(png_ptr, "unknown critical chunk"); } png_set_unknown_chunks(png_ptr, info_ptr, &chunk, 1); @@ -2216,7 +2222,7 @@ else #endif png_set_unknown_chunks(png_ptr, info_ptr, &chunk, 1); - png_free(png_ptr, chunk.data); + if(chunk.data) png_free(png_ptr, chunk.data); } else #endif --- pngset.c +++ pngset.c @@ -1023,19 +1023,26 @@ png_unknown_chunkp to = np + info_ptr->unknown_chunks_num + i; png_unknown_chunkp from = unknowns + i; - png_strncpy((png_charp)to->name, (png_charp)from->name, 5); - to->data = (png_bytep)png_malloc_warn(png_ptr, from->size); - if (to->data == NULL) - { - png_warning(png_ptr, "Out of memory processing unknown chunk."); - } + png_memcpy((png_charp)to->name, + (png_charp)from->name, + png_sizeof(to->name)); + to->name[png_sizeof(to->name)-1] = '\0'; + to->size = from->size; + /* note our location in the read or write sequence */ + to->location = (png_byte)(png_ptr->mode & 0xff); + if (from->size == 0) + to->data=NULL; else { - png_memcpy(to->data, from->data, from->size); - to->size = from->size; - - /* note our location in the read or write sequence */ - to->location = (png_byte)(png_ptr->mode & 0xff); + to->data = (png_bytep)png_malloc_warn(png_ptr, from->size); + if (to->data == NULL) + { + png_warning(png_ptr, + "Out of memory processing unknown chunk."); + to->size=0; + } + else + png_memcpy(to->data, from->data, from->size); } } --- pngwrite.c +++ pngwrite.c @@ -112,6 +112,8 @@ ((up->name[3] & 0x20) || keep == PNG_HANDLE_CHUNK_ALWAYS || (png_ptr->flags & PNG_FLAG_KEEP_UNSAFE_CHUNKS))) { + if (up->size == 0) + png_warning(png_ptr, "Writing zero-length unknown chunk"); png_write_chunk(png_ptr, up->name, up->data, up->size); } }