diff options
| author | skal <pascal.massimino@gmail.com> | 2019-07-29 15:22:06 +0200 |
|---|---|---|
| committer | Cosmin Truta <ctruta@gmail.com> | 2020-04-27 00:16:36 -0400 |
| commit | eb6767273a4eb5d6f4ad528370d7262cf7aa220c (patch) | |
| tree | 2ab614985eb293f9e7bfa7c11db72b6f76eb8a67 /pngrutil.c | |
| parent | 9f734b13f4ea062af98652c4c7678f667d2d85c7 (diff) | |
| download | libpng-eb6767273a4eb5d6f4ad528370d7262cf7aa220c.tar.gz | |
Fix memory leak if eXIf has incorrect crc
Problem description:
Imagine a bitstream with an eXIf data segment that has invalid CRC.
If png_crc_finish() fails at line 2090, info_ptr->eXIf_buf is not freed
(despite the free_me setting at line 2062) because png_free_data() is
not called. png_read_info() is actually looping several time over the
png_eXIf chunk, calling png_handle_eXIf() several time in a row without
freeing the buffer.
This patch fixes the problem by leaving info_ptr's content in a clean
state in case of failure, as it is done at line 2084.
Diffstat (limited to 'pngrutil.c')
| -rw-r--r-- | pngrutil.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/pngrutil.c b/pngrutil.c index d5fa08c39..4db3de990 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -2087,10 +2087,8 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) } } - if (png_crc_finish(png_ptr, 0) != 0) - return; - - png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf); + if (png_crc_finish(png_ptr, 0) == 0) + png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf); png_free(png_ptr, info_ptr->eXIf_buf); info_ptr->eXIf_buf = NULL; |