lcms: Fix memory leak in ReadSegmentedCurve

BUG=chromium:658223 Review-Url: https://codereview.chromium.org/2480013002
author: kcwu <kcwu@chromium.org> 2016-11-07 08:42:15 -0800
committer: Commit bot <commit-bot@chromium.org> 2016-11-07 08:42:15 -0800
commit: 5756a77fa289ce1ef18bd7f2da75a39575ead9fe (patch)
tree: 55fc6c4f7fe9bbe4d7a5dd1bfc4e8797c67b0c0c
parent: 014b012278b7438ef8d4b66730b8598c7eb4623a (diff)
download: pdfium-5756a77fa289ce1ef18bd7f2da75a39575ead9fe.tar.xz
3 files changed, 45 insertions, 3 deletions
diff --git a/third_party/lcms2-2.6/0011-memory-leak-ReadSegmentedCurve.patch b/third_party/lcms2-2.6/0011-memory-leak-ReadSegmentedCurve.patch
new file mode 100644
index 0000000000..a6cfe02b8c
--- /dev/null
+++ b/third_party/lcms2-2.6/0011-memory-leak-ReadSegmentedCurve.patch
@@ -0,0 +1,36 @@
+diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
+index 15199c7..04dd0c4 100644
+--- a/third_party/lcms2-2.6/src/cmstypes.c
++++ b/third_party/lcms2-2.6/src/cmstypes.c
+@@ -3968,7 +3968,7 @@ cmsToneCurve* ReadSegmentedCurve(struct _cms_typehandler_struct* self, cmsIOHAND
+             case cmsSigSampledCurveSeg: {
+                 cmsUInt32Number Count;
+ 
+-                if (!_cmsReadUInt32Number(io, &Count)) return NULL;
++                if (!_cmsReadUInt32Number(io, &Count)) goto Error;
+ 
+                 Segments[i].nGridPoints = Count;
+                 Segments[i].SampledPoints = (cmsFloat32Number*) _cmsCalloc(self ->ContextID, Count, sizeof(cmsFloat32Number));
+@@ -3987,7 +3987,7 @@ cmsToneCurve* ReadSegmentedCurve(struct _cms_typehandler_struct* self, cmsIOHAND
+                 _cmsTagSignature2String(String, (cmsTagSignature) ElementSig);
+                 cmsSignalError(self->ContextID, cmsERROR_UNKNOWN_EXTENSION, "Unknown curve element type '%s' found.", String);
+                 }
+-                return NULL;
++                goto Error;
+ 
+          }
+      }
+@@ -4001,7 +4001,12 @@ cmsToneCurve* ReadSegmentedCurve(struct _cms_typehandler_struct* self, cmsIOHAND
+      return Curve;
+ 
+ Error:
+-     if (Segments) _cmsFree(self ->ContextID, Segments);
++     if (Segments) {
++         for (i=0; i < nSegments; i++) {
++             if (Segments[i].SampledPoints) _cmsFree(self ->ContextID, Segments[i].SampledPoints);
++         }
++         _cmsFree(self ->ContextID, Segments);
++     }
+      return NULL;
+ }
+ 
diff --git a/third_party/lcms2-2.6/README.pdfium b/third_party/lcms2-2.6/README.pdfium
index 60934f61b1..b0d5e3e000 100644
--- a/third_party/lcms2-2.6/README.pdfium
+++ b/third_party/lcms2-2.6/README.pdfium
@@ -20,4 +20,5 @@ Local Modifications:
 0008-memory-leak-Type_MPEmatrix_Read.patch: Fix memory leak in MPEmatrix_Read.
 0009-cmsStageAllocMatrix-param-swap.patch: Fix rows/cols swap in cmsStageAllocMatrix.
 0010-reject-nan.patch: Reject NaN when reading float numbers.
+0011-memory-leak-ReadSegmentedCurve.patch: Fix memory leak in ReadSegmentedCurve.
 TODO(ochang): List other patches.
diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c
index 15199c7084..04dd0c4e00 100644
--- a/third_party/lcms2-2.6/src/cmstypes.c
+++ b/third_party/lcms2-2.6/src/cmstypes.c
@@ -3968,7 +3968,7 @@ cmsToneCurve* ReadSegmentedCurve(struct _cms_typehandler_struct* self, cmsIOHAND
             case cmsSigSampledCurveSeg: {
                 cmsUInt32Number Count;
 
-                if (!_cmsReadUInt32Number(io, &Count)) return NULL;
+                if (!_cmsReadUInt32Number(io, &Count)) goto Error;
 
                 Segments[i].nGridPoints = Count;
                 Segments[i].SampledPoints = (cmsFloat32Number*) _cmsCalloc(self ->ContextID, Count, sizeof(cmsFloat32Number));
@@ -3987,7 +3987,7 @@ cmsToneCurve* ReadSegmentedCurve(struct _cms_typehandler_struct* self, cmsIOHAND
                 _cmsTagSignature2String(String, (cmsTagSignature) ElementSig);
                 cmsSignalError(self->ContextID, cmsERROR_UNKNOWN_EXTENSION, "Unknown curve element type '%s' found.", String);
                 }
-                return NULL;
+                goto Error;
 
          }
      }
@@ -4001,7 +4001,12 @@ cmsToneCurve* ReadSegmentedCurve(struct _cms_typehandler_struct* self, cmsIOHAND
      return Curve;
 
 Error:
-     if (Segments) _cmsFree(self ->ContextID, Segments);
+     if (Segments) {
+         for (i=0; i < nSegments; i++) {
+             if (Segments[i].SampledPoints) _cmsFree(self ->ContextID, Segments[i].SampledPoints);
+         }
+         _cmsFree(self ->ContextID, Segments);
+     }
      return NULL;
 }
author	kcwu <kcwu@chromium.org>	2016-11-07 08:42:15 -0800
committer	Commit bot <commit-bot@chromium.org>	2016-11-07 08:42:15 -0800
commit	5756a77fa289ce1ef18bd7f2da75a39575ead9fe (patch)
tree	55fc6c4f7fe9bbe4d7a5dd1bfc4e8797c67b0c0c
parent	014b012278b7438ef8d4b66730b8598c7eb4623a (diff)
download	pdfium-5756a77fa289ce1ef18bd7f2da75a39575ead9fe.tar.xz