Security fix for CVE-2011-2691 backported from png 1.4.8, from naddy@.

(forgotten in previous commit..)
See https://bugzilla.mozilla.org/show_bug.cgi?id=669863 for details.

www/fennec/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.7 2011/06/28 22:01:17 landry Exp $
+# $OpenBSD: Makefile,v 1.8 2011/07/30 07:55:53 landry Exp $
 
 COMMENT =	Mozilla mobile web browser
 
@@ -6,6 +6,7 @@ MOZILLA_VERSION =	5.0
 MOZILLA_BRANCH =	mobile-${MOZILLA_VERSION}
 MOZILLA_PROJECT =	fennec
 MOZILLA_CODENAME =	mobile
+REVISION =	0
 
 SO_VERSION =	1.0
 NSS_SO_VERSION =	27.0

www/fennec/patches/patch-modules_libimg_png_pngerror_c

@@ -0,0 +1,34 @@
+$OpenBSD: patch-modules_libimg_png_pngerror_c,v 1.1 2011/07/30 07:55:53 landry Exp $
+Fix for CVE-2011-2691 backported from png 1.4.8
+--- modules/libimg/png/pngerror.c.orig	Sun Jul 24 19:00:17 2011
++++ modules/libimg/png/pngerror.c	Sun Jul 24 19:02:55 2011
+@@ -88,11 +88,11 @@ void PNGAPI
+ png_err(png_structp png_ptr)
+ {
+    if (png_ptr != NULL && png_ptr->error_fn != NULL)
+-      (*(png_ptr->error_fn))(png_ptr, '\0');
++      (*(png_ptr->error_fn))(png_ptr, "");
+ 
+    /* If the custom handler doesn't exist, or if it returns,
+       use the default handler, which will not return. */
+-   png_default_error(png_ptr, '\0');
++   png_default_error(png_ptr, "");
+ }
+ #endif /* PNG_ERROR_TEXT_SUPPORTED */
+ 
+@@ -181,8 +181,13 @@ png_format_buffer(png_structp png_ptr, png_charp buffe
+    {
+       buffer[iout++] = ':';
+       buffer[iout++] = ' ';
+-      png_memcpy(buffer + iout, error_message, PNG_MAX_ERROR_TEXT);
+-      buffer[iout + PNG_MAX_ERROR_TEXT - 1] = '\0';
++
++      iin = 0;
++      while (iin < PNG_MAX_ERROR_TEXT-1 && error_message[iin] != '\0')
++         buffer[iout++] = error_message[iin++];
++
++      /* iin < PNG_MAX_ERROR_TEXT, so the following is safe: */
++      buffer[iout] = '\0';
+    }
+ }
+