Hmm, reopening because:

1. I'm not not completely convinced the libpng warning is legit. Looking at their code, I think the operation is safe, because their append code uses a position index that starts at 0, and only looks for null termination in the source string, not the dest. So the "fix" I committed just silences a possibly benign error. Investigating before I report upstream, as I want to be sure if there's security implications or not. Apparently reporting security issues for libpng can be done thru private email, without joining a mailing list. Just google for 'libpng reporting bugs' to find it, e.g.

If you wish to privately report a security issue (vulnerability)
in libpng, please report it by email to:
    png-mng-security at lists.osuosl.org
where it will be seen by a small group of long-time libpng
contributors. You don't need to subscribe (in fact you probably
won't be allowed to subscribe) to that list.

2. I see there's some other warnings I didn't catch from the build of test/icon.cxx, another potential buffer uninitialized issue. (attached) icon-warnings.txt

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.