[libpng16] Stop memory leak when returning from png_handle_eXIf() with an error

(Bug report from the OSS-fuzz project).
author: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2017-08-01 21:42:16 -0500
committer: Glenn Randers-Pehrson <glennrp at users.sourceforge.net> 2017-08-01 21:42:16 -0500
commit: 71a56180e54de5ffa42b7e85835c272771393add (patch)
tree: edb8cf7b2b56dab3295bbc3ed9b36cb4fe785fa5 /pngrutil.c
parent: cb628b2e4ea33ab3041076f7e03e68678f02f12b (diff)
1 files changed, 11 insertions, 3 deletions
diff --git a/pngrutil.c b/pngrutil.c
index 3be7c17cc..7e6ac2077 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -2014,6 +2014,7 @@ void /* PRIVATE */
 png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
 {
    unsigned int i;
+
    png_bytep eXIf_buf;
 
    png_debug(1, "in png_handle_eXIf");
@@ -2031,18 +2032,25 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
    eXIf_buf = png_voidcast(png_bytep,
              png_malloc_warn(png_ptr, length));
 
+   if (eXIf_buf == NULL)
+   {
+      png_crc_finish(png_ptr, length);
+      png_chunk_benign_error(png_ptr, "out of memory");
+      return;
+   }
+
+   info_ptr->eXIf_buf = eXIf_buf; /* So it will be freed on error */
+   info_ptr->free_me |= PNG_FREE_EXIF;
    for (i = 0; i < length; i++)
    {
       png_byte buf[1];
       png_crc_read(png_ptr, buf, 1);
       eXIf_buf[i] = buf[0];
    }
+   info_ptr->eXIf_buf = NULL;
 
    if (png_crc_finish(png_ptr, 0) != 0)
-   {
-      png_free(png_ptr, eXIf_buf);
       return;
-   }
 
    png_set_eXIf_1(png_ptr, info_ptr, length, eXIf_buf);
author	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2017-08-01 21:42:16 -0500
committer	Glenn Randers-Pehrson <glennrp at users.sourceforge.net>	2017-08-01 21:42:16 -0500
commit	71a56180e54de5ffa42b7e85835c272771393add (patch)
tree	edb8cf7b2b56dab3295bbc3ed9b36cb4fe785fa5 /pngrutil.c
parent	cb628b2e4ea33ab3041076f7e03e68678f02f12b (diff)