summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Pena <npm@chromium.org>2017-01-18 14:28:00 -0500
committerChromium commit bot <commit-bot@chromium.org>2017-01-19 18:44:17 +0000
commit352b6971deeb8e7438b6880fd4a26fd3f9382c47 (patch)
tree1aa47c580c3c736c8617ca5ae6676d6702122bd6
parent341b5c2c1cbd310d29ef3db2dbea1ec9b1b981ec (diff)
downloadpdfium-352b6971deeb8e7438b6880fd4a26fd3f9382c47.tar.xz
Fix leak in PixarLogSetupDecode
The call may come from TIFFReadRGBAImageOriented, and there no cleanup is done. So free the memory allocation on failure. BUG=681301 Change-Id: I4ac7db03d18eddd3117649ca185dffdcc9189870 Reviewed-on: https://pdfium-review.googlesource.com/2252 Reviewed-by: dsinclair <dsinclair@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
-rw-r--r--third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.patch (renamed from third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.diff)0
-rw-r--r--third_party/libtiff/0016-fix-leak-in-pixarlogsetupdecode.patch24
-rw-r--r--third_party/libtiff/README.pdfium3
-rw-r--r--third_party/libtiff/tif_pixarlog.c6
4 files changed, 32 insertions, 1 deletions
diff --git a/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.diff b/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.patch
index e9d3a408bf..e9d3a408bf 100644
--- a/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.diff
+++ b/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.patch
diff --git a/third_party/libtiff/0016-fix-leak-in-pixarlogsetupdecode.patch b/third_party/libtiff/0016-fix-leak-in-pixarlogsetupdecode.patch
new file mode 100644
index 0000000000..c49e676c34
--- /dev/null
+++ b/third_party/libtiff/0016-fix-leak-in-pixarlogsetupdecode.patch
@@ -0,0 +1,24 @@
+diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c
+index 29535d31e..80006d5b1 100644
+--- a/third_party/libtiff/tif_pixarlog.c
++++ b/third_party/libtiff/tif_pixarlog.c
+@@ -697,6 +697,9 @@ PixarLogSetupDecode(TIFF* tif)
+ if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
+ sp->user_datafmt = PixarLogGuessDataFmt(td);
+ if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
++ _TIFFfree(sp->tbuf);
++ sp->tbuf = NULL;
++ sp->tbuf_size = 0;
+ TIFFErrorExt(tif->tif_clientdata, module,
+ "PixarLog compression can't handle bits depth/data format combination (depth: %d)",
+ td->td_bitspersample);
+@@ -704,6 +707,9 @@ PixarLogSetupDecode(TIFF* tif)
+ }
+
+ if (inflateInit(&sp->stream) != Z_OK) {
++ _TIFFfree(sp->tbuf);
++ sp->tbuf = NULL;
++ sp->tbuf_size = 0;
+ TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg);
+ return (0);
+ } else {
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index cc50be73e6..23c8450eff 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -24,4 +24,5 @@ Local Modifications:
0012-initialize-tif-rawdata.patch: Initialize tif_rawdata to guard against unitialized access
0013-validate-refblackwhite.patch: Make sure the refblackwhite values aren't nan.
0014-cast-to-unsigned-in-putagreytile.patch: casting to avoid undefined shifts.
-0015-fix-leaks-in-tif_ojpeg.diff: fix direct leaks in tif_ojpeg.c methods
+0015-fix-leaks-in-tif_ojpeg.patch: fix direct leaks in tif_ojpeg.c methods
+0016-fix-leak-in-pixarlogsetupdecode.patch: Free sp->tbuf if setup fails
diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c
index 29535d31ee..80006d5b1b 100644
--- a/third_party/libtiff/tif_pixarlog.c
+++ b/third_party/libtiff/tif_pixarlog.c
@@ -697,6 +697,9 @@ PixarLogSetupDecode(TIFF* tif)
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
sp->user_datafmt = PixarLogGuessDataFmt(td);
if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
+ _TIFFfree(sp->tbuf);
+ sp->tbuf = NULL;
+ sp->tbuf_size = 0;
TIFFErrorExt(tif->tif_clientdata, module,
"PixarLog compression can't handle bits depth/data format combination (depth: %d)",
td->td_bitspersample);
@@ -704,6 +707,9 @@ PixarLogSetupDecode(TIFF* tif)
}
if (inflateInit(&sp->stream) != Z_OK) {
+ _TIFFfree(sp->tbuf);
+ sp->tbuf = NULL;
+ sp->tbuf_size = 0;
TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg);
return (0);
} else {