diff options
author | Nicolas Pena <npm@chromium.org> | 2017-01-18 14:28:00 -0500 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-01-19 18:44:17 +0000 |
commit | 352b6971deeb8e7438b6880fd4a26fd3f9382c47 (patch) | |
tree | 1aa47c580c3c736c8617ca5ae6676d6702122bd6 | |
parent | 341b5c2c1cbd310d29ef3db2dbea1ec9b1b981ec (diff) | |
download | pdfium-352b6971deeb8e7438b6880fd4a26fd3f9382c47.tar.xz |
Fix leak in PixarLogSetupDecode
The call may come from TIFFReadRGBAImageOriented, and there no cleanup
is done. So free the memory allocation on failure.
BUG=681301
Change-Id: I4ac7db03d18eddd3117649ca185dffdcc9189870
Reviewed-on: https://pdfium-review.googlesource.com/2252
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
-rw-r--r-- | third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.patch (renamed from third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.diff) | 0 | ||||
-rw-r--r-- | third_party/libtiff/0016-fix-leak-in-pixarlogsetupdecode.patch | 24 | ||||
-rw-r--r-- | third_party/libtiff/README.pdfium | 3 | ||||
-rw-r--r-- | third_party/libtiff/tif_pixarlog.c | 6 |
4 files changed, 32 insertions, 1 deletions
diff --git a/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.diff b/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.patch index e9d3a408bf..e9d3a408bf 100644 --- a/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.diff +++ b/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.patch diff --git a/third_party/libtiff/0016-fix-leak-in-pixarlogsetupdecode.patch b/third_party/libtiff/0016-fix-leak-in-pixarlogsetupdecode.patch new file mode 100644 index 0000000000..c49e676c34 --- /dev/null +++ b/third_party/libtiff/0016-fix-leak-in-pixarlogsetupdecode.patch @@ -0,0 +1,24 @@ +diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c +index 29535d31e..80006d5b1 100644 +--- a/third_party/libtiff/tif_pixarlog.c ++++ b/third_party/libtiff/tif_pixarlog.c +@@ -697,6 +697,9 @@ PixarLogSetupDecode(TIFF* tif) + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) + sp->user_datafmt = PixarLogGuessDataFmt(td); + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { ++ _TIFFfree(sp->tbuf); ++ sp->tbuf = NULL; ++ sp->tbuf_size = 0; + TIFFErrorExt(tif->tif_clientdata, module, + "PixarLog compression can't handle bits depth/data format combination (depth: %d)", + td->td_bitspersample); +@@ -704,6 +707,9 @@ PixarLogSetupDecode(TIFF* tif) + } + + if (inflateInit(&sp->stream) != Z_OK) { ++ _TIFFfree(sp->tbuf); ++ sp->tbuf = NULL; ++ sp->tbuf_size = 0; + TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg); + return (0); + } else { diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index cc50be73e6..23c8450eff 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -24,4 +24,5 @@ Local Modifications: 0012-initialize-tif-rawdata.patch: Initialize tif_rawdata to guard against unitialized access 0013-validate-refblackwhite.patch: Make sure the refblackwhite values aren't nan. 0014-cast-to-unsigned-in-putagreytile.patch: casting to avoid undefined shifts. -0015-fix-leaks-in-tif_ojpeg.diff: fix direct leaks in tif_ojpeg.c methods +0015-fix-leaks-in-tif_ojpeg.patch: fix direct leaks in tif_ojpeg.c methods +0016-fix-leak-in-pixarlogsetupdecode.patch: Free sp->tbuf if setup fails diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c index 29535d31ee..80006d5b1b 100644 --- a/third_party/libtiff/tif_pixarlog.c +++ b/third_party/libtiff/tif_pixarlog.c @@ -697,6 +697,9 @@ PixarLogSetupDecode(TIFF* tif) if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) sp->user_datafmt = PixarLogGuessDataFmt(td); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { + _TIFFfree(sp->tbuf); + sp->tbuf = NULL; + sp->tbuf_size = 0; TIFFErrorExt(tif->tif_clientdata, module, "PixarLog compression can't handle bits depth/data format combination (depth: %d)", td->td_bitspersample); @@ -704,6 +707,9 @@ PixarLogSetupDecode(TIFF* tif) } if (inflateInit(&sp->stream) != Z_OK) { + _TIFFfree(sp->tbuf); + sp->tbuf = NULL; + sp->tbuf_size = 0; TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg); return (0); } else { |