From eb6767273a4eb5d6f4ad528370d7262cf7aa220c Mon Sep 17 00:00:00 2001 From: skal Date: Mon, 29 Jul 2019 15:22:06 +0200 Subject: [PATCH] Fix memory leak if eXIf has incorrect crc Problem description: Imagine a bitstream with an eXIf data segment that has invalid CRC. If png_crc_finish() fails at line 2090, info_ptr->eXIf_buf is not freed (despite the free_me setting at line 2062) because png_free_data() is not called. png_read_info() is actually looping several time over the png_eXIf chunk, calling png_handle_eXIf() several time in a row without freeing the buffer. This patch fixes the problem by leaving info_ptr's content in a clean state in case of failure, as it is done at line 2084. --- pngrutil.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/pngrutil.c b/pngrutil.c index d5fa08c397..4db3de990b 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -2087,10 +2087,8 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) } } - if (png_crc_finish(png_ptr, 0) != 0) - return; - - png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf); + if (png_crc_finish(png_ptr, 0) == 0) + png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf); png_free(png_ptr, info_ptr->eXIf_buf); info_ptr->eXIf_buf = NULL;