From 63b1948b4d03f401f5de1c5bd06721bd627ab024 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20B=C3=BCnzli?= <zeniko@gmail.com>
Date: Wed, 15 Jan 2014 00:00:44 +0100
Subject: fix memory leaks in pdf_load_jpx and fz_new_image_from_pixmap

fz_new_image_from_pixmap expects that the pixmap's colorspace has two
references which is contrary to expectations. If it instead addrefs the
pixmap's colorspace, the only caller pdf_load_jpx can consistently
drop the colorspace after passing it to fz_load_jpx.

Also, if the contract is that whatever is passed into
fz_new_image_from_pixmap belongs to the new image, then the pixmap also
has to be dropped on error so that it isn't leaked.
---
 source/fitz/image.c    |  3 ++-
 source/pdf/pdf-image.c | 15 ++++++---------
 2 files changed, 8 insertions(+), 10 deletions(-)

(limited to 'source')

diff --git a/source/fitz/image.c b/source/fitz/image.c
index 2144674a..f5af4539 100644
--- a/source/fitz/image.c
+++ b/source/fitz/image.c
@@ -340,7 +340,7 @@ fz_new_image_from_pixmap(fz_context *ctx, fz_pixmap *pixmap, fz_image *mask)
 		image->w = pixmap->w;
 		image->h = pixmap->h;
 		image->n = pixmap->n;
-		image->colorspace = pixmap->colorspace;
+		image->colorspace = fz_keep_colorspace(ctx, pixmap->colorspace);
 		image->bpc = 8;
 		image->buffer = NULL;
 		image->get_pixmap = fz_image_get_pixmap;
@@ -351,6 +351,7 @@ fz_new_image_from_pixmap(fz_context *ctx, fz_pixmap *pixmap, fz_image *mask)
 	}
 	fz_catch(ctx)
 	{
+		fz_drop_pixmap(ctx, pixmap);
 		fz_drop_image(ctx, mask);
 		fz_rethrow(ctx);
 	}
diff --git a/source/pdf/pdf-image.c b/source/pdf/pdf-image.c
index ef7f94ad..c329c1a7 100644
--- a/source/pdf/pdf-image.c
+++ b/source/pdf/pdf-image.c
@@ -216,12 +216,6 @@ pdf_load_jpx(pdf_document *doc, pdf_obj *dict, int forcemask)
 
 		img = fz_load_jpx(ctx, buf->data, buf->len, colorspace, indexed);
 
-		if (colorspace == NULL)
-			colorspace = fz_keep_colorspace(ctx, img->colorspace);
-
-		fz_drop_buffer(ctx, buf);
-		buf = NULL;
-
 		obj = pdf_dict_getsa(dict, "SMask", "Mask");
 		if (pdf_is_dict(obj))
 		{
@@ -243,14 +237,17 @@ pdf_load_jpx(pdf_document *doc, pdf_obj *dict, int forcemask)
 			fz_decode_tile(img, decode);
 		}
 	}
-	fz_catch(ctx)
+	fz_always(ctx)
 	{
-		if (colorspace)
-			fz_drop_colorspace(ctx, colorspace);
+		fz_drop_colorspace(ctx, colorspace);
 		fz_drop_buffer(ctx, buf);
+	}
+	fz_catch(ctx)
+	{
 		fz_drop_pixmap(ctx, img);
 		fz_rethrow(ctx);
 	}
+
 	return fz_new_image_from_pixmap(ctx, img, mask);
 }
 
-- 
cgit v1.2.3