[png-mng-implement] Possible bug in libpng 1.2.33 pngwutil.c png_write_zTXt

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I've just downloaded 1.2.33 with a view to updating to it, and got the 
following warning from Visual Studio:

pngwutil.c(1417) : warning C4701: potentially uninitialized local 
variable 'new_key' used

this is the png_free call near the end of this fragment

> #if defined(PNG_WRITE_zTXt_SUPPORTED)
> /* write a compressed text chunk */
> void /* PRIVATE */
> png_write_zTXt(png_structp png_ptr, png_charp key, png_charp text,
>    png_size_t text_len, int compression)
> {
> #ifdef PNG_USE_LOCAL_ARRAYS
>    PNG_zTXt;
> #endif
>    png_size_t key_len;
>    char buf[1];
>    png_charp new_key;
>    compression_state comp;
> 
>    png_debug(1, "in png_write_zTXt\n");
> 
>    comp.num_output_ptr = 0;
>    comp.max_output_ptr = 0;
>    comp.output_ptr = NULL;
>    comp.input = NULL;
>    comp.input_len = 0;
> 
>    if (key == NULL || (key_len = png_check_keyword(png_ptr, key, &new_key))==0)
>    {
>       png_warning(png_ptr, "Empty keyword in zTXt chunk");
>       png_free(png_ptr, new_key);
>       return;
>    }

I can't tell if it is possible to call png_write_zTXt with a NULL key,
but if it is then this code will indeed attempt to free memory at the 
address in an uninitialised pointer. This could be fixed either by 
initialising new_key to NULL so the check in png_free will avoid the 
free, or by removing the key==NULL test so that png_check_keyword will 
initialise it (it already checks for key==NULL).

Arvan

-- 
Arvan Pritchard
Informatix Software International Limited
Tel +44 (0)1223 246777 Fax +44 (0)1223 246778
Registered office: 509 Coldhams Lane, Cambridge, CB1 3JS, United Kingdom
Company Registration in England & Wales 3319498, VAT number GB 688 5110 10
www.informatix.co.uk