$OpenBSD: patch-modules_libimg_png_pngerror_c,v 1.1 2011/08/02 19:24:38 naddy Exp $

Fix for CVE-2011-2691 backported from png 1.2.45.

--- modules/libimg/png/pngerror.c.orig	Mon Aug  1 18:35:26 2011
+++ modules/libimg/png/pngerror.c	Mon Aug  1 18:38:38 2011
@@ -84,11 +84,11 @@ void PNGAPI
 png_err(png_structp png_ptr)
 {
    if (png_ptr != NULL && png_ptr->error_fn != NULL)
-      (*(png_ptr->error_fn))(png_ptr, '\0');
+      (*(png_ptr->error_fn))(png_ptr, "");
 
    /* If the custom handler doesn't exist, or if it returns,
       use the default handler, which will not return. */
-   png_default_error(png_ptr, '\0');
+   png_default_error(png_ptr, "");
 }
 #endif /* PNG_NO_ERROR_TEXT */
 
@@ -168,8 +168,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffe
    {
       buffer[iout++] = ':';
       buffer[iout++] = ' ';
-      png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
-      buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
+
+      iin = 0;
+      while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
+         buffer[iout++] = error_message[iin++];
+
+      /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
+      buffer[iout] = '\0';
    }
 }
 
