Confirmed the png related compiler warning is a red herring (false lead). Attached test code test-pngsafecat.c.txt shows the destination buffer can be garbage and still work just fine, since indexing is used. Only the src buffer must be NULL terminated.

I suppose I should report this upstream anyway, not as a security issue, but to silence over zealous compiler warnings, as it's possible compilers of the future will simply report uninitialized buffers.

Question: Is it possible libpng builds with fewer warning flags than we build it with? If so they may never even see the warning even with the same build environment. I'll be sure to cover that we use libpng bundled with our own code.

I'll look into the test/icon.cxx warnings next.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.