From 8e783a6b2c165b5d3dcdf9e4d4c2526ac18c77c8 Mon Sep 17 00:00:00 2001
From: dsinclair <dsinclair@chromium.org>
Date: Tue, 6 Sep 2016 08:56:46 -0700
Subject: Avoid leaking params if any entry bad.

The call to png_set_pCAL can call into png_error for several reasons. This CL
verifies that the params are valid before calling into png_set_pCAL.

BUG=chromium:636214

Review-Url: https://codereview.chromium.org/2292313003
---
 .../libpng16/0003-check-errors-in-set-pcal.patch   | 47 ++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 third_party/libpng16/0003-check-errors-in-set-pcal.patch

(limited to 'third_party/libpng16/0003-check-errors-in-set-pcal.patch')

diff --git a/third_party/libpng16/0003-check-errors-in-set-pcal.patch b/third_party/libpng16/0003-check-errors-in-set-pcal.patch
new file mode 100644
index 0000000000..58e27ba623
--- /dev/null
+++ b/third_party/libpng16/0003-check-errors-in-set-pcal.patch
@@ -0,0 +1,47 @@
+diff --git a/pngset.c b/pngset.c
+index cccd9cd..83d6ce2 100644
+--- a/pngset.c
++++ b/pngset.c
+@@ -283,17 +283,29 @@ png_set_pCAL(png_const_structrp png_ptr, png_inforpinfo_ptr,
+ 
+    /* Check that the type matches the specification. */
+    if (type < 0 || type > 3)
+-      png_error(png_ptr, "Invalid pCAL equation type");
++   {
++      png_chunk_report(png_ptr, "Invalid pCAL equation type",
++            PNG_CHUNK_WRITE_ERROR);
++      return;
++   }
+ 
+    if (nparams < 0 || nparams > 255)
+-      png_error(png_ptr, "Invalid pCAL parameter count");
++   {
++      png_chunk_report(png_ptr, "Invalid pCAL parameter count",
++            PNG_CHUNK_WRITE_ERROR);
++      return;
++   }
+ 
+    /* Validate params[nparams] */
+    for (i=0; i<nparams; ++i)
+    {
+       if (params[i] == NULL ||
+           !png_check_fp_string(params[i], strlen(params[i])))
+-         png_error(png_ptr, "Invalid format for pCAL parameter");
++      {
++         png_chunk_report(png_ptr, "Invalid format for pCAL parameter",
++               PNG_CHUNK_WRITE_ERROR);
++         return;
++      }
+    }
+ 
+    info_ptr->pcal_purpose = png_voidcast(png_charp,
+@@ -301,8 +313,8 @@ png_set_pCAL(png_const_structrp png_ptr, png_inforpinfo_ptr,
+ 
+    if (info_ptr->pcal_purpose == NULL)
+    {
+-      png_warning(png_ptr, "Insufficient memory for pCAL purpose");
+-
++      png_chunk_report(png_ptr, "Insufficient memory for pCAL purpose",
++            PNG_CHUNK_WRITE_ERROR);
+       return;
+    }
-- 
cgit v1.2.3