From a3a21443ed12bfa1ef46fa0d4fb2b74a0fa34a25 Mon Sep 17 00:00:00 2001 From: Oblivionsage Date: Tue, 17 Mar 2026 08:55:18 +0100 Subject: [PATCH] fix: Initialize tail bytes in `trans_alpha` buffers Although the arrays `info_ptr->trans_alpha` and `png_ptr->trans_alpha` are allocated 256 bytes, only `num_trans` bytes are copied. The remaining entries were left uninitialized. Set them to 0xff (fully opaque) before copying, which matches the conventional treatment of entries beyond `num_trans`. This is a follow-up to the previous use-after-free fix. Reported-by: Cosmin Truta Reviewed-by: Cosmin Truta Signed-off-by: Cosmin Truta --- pngset.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) Index: libpng-1.6.8/pngset.c =================================================================== --- libpng-1.6.8.orig/pngset.c +++ libpng-1.6.8/pngset.c @@ -928,9 +928,13 @@ png_set_tRNS(png_structrp png_ptr, png_i if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH) { - /* Allocate info_ptr's copy of the transparency data. */ + /* Allocate info_ptr's copy of the transparency data. + * Initialize all entries to fully opaque (0xff), then overwrite + * the first num_trans entries with the actual values. + */ info_ptr->trans_alpha = png_voidcast(png_bytep, png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); + memset(info_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH); memcpy(info_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans); /* Allocate an independent copy for png_struct, so that the @@ -944,6 +948,7 @@ png_set_tRNS(png_structrp png_ptr, png_i png_free(png_ptr, png_ptr->trans_alpha); png_ptr->trans_alpha = png_voidcast(png_bytep, png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); + memset(png_ptr->trans_alpha, 0xff, PNG_MAX_PALETTE_LENGTH); memcpy(png_ptr->trans_alpha, trans_alpha, (size_t)num_trans); } else