Fix leak in PixarLogSetupDecode

The call may come from TIFFReadRGBAImageOriented, and there no cleanup
is done. So free the memory allocation on failure.

BUG=681301

Change-Id: I4ac7db03d18eddd3117649ca185dffdcc9189870
Reviewed-on: https://pdfium-review.googlesource.com/2252
Reviewed-by: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>

4 files changed, 32 insertions, 1 deletions

diff --git a/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.diff b/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.patch
index e9d3a408bf..e9d3a408bf 100644
--- a/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.diff
+++ b/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.patch
diff --git a/third_party/libtiff/0016-fix-leak-in-pixarlogsetupdecode.patch b/third_party/libtiff/0016-fix-leak-in-pixarlogsetupdecode.patch
new file mode 100644
index 0000000000..c49e676c34
--- /dev/null
+++ b/third_party/libtiff/0016-fix-leak-in-pixarlogsetupdecode.patch
@@ -0,0 +1,24 @@
+diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c
+index 29535d31e..80006d5b1 100644
+--- a/third_party/libtiff/tif_pixarlog.c
++++ b/third_party/libtiff/tif_pixarlog.c
+@@ -697,6 +697,9 @@ PixarLogSetupDecode(TIFF* tif)
+        if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
+                sp->user_datafmt = PixarLogGuessDataFmt(td);
+        if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
++               _TIFFfree(sp->tbuf);
++               sp->tbuf = NULL;
++               sp->tbuf_size = 0;
+                TIFFErrorExt(tif->tif_clientdata, module,
+                        "PixarLog compression can't handle bits depth/data format combination (depth: %d)", 
+                        td->td_bitspersample);
+@@ -704,6 +707,9 @@ PixarLogSetupDecode(TIFF* tif)
+        }
+ 
+        if (inflateInit(&sp->stream) != Z_OK) {
++               _TIFFfree(sp->tbuf);
++               sp->tbuf = NULL;
++               sp->tbuf_size = 0;
+                TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg);
+                return (0);
+        } else {
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index cc50be73e6..23c8450eff 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -24,4 +24,5 @@ Local Modifications:
 0012-initialize-tif-rawdata.patch: Initialize tif_rawdata to guard against unitialized access
 0013-validate-refblackwhite.patch: Make sure the refblackwhite values aren't nan.
 0014-cast-to-unsigned-in-putagreytile.patch: casting to avoid undefined shifts.
-0015-fix-leaks-in-tif_ojpeg.diff: fix direct leaks in tif_ojpeg.c methods
+0015-fix-leaks-in-tif_ojpeg.patch: fix direct leaks in tif_ojpeg.c methods
+0016-fix-leak-in-pixarlogsetupdecode.patch: Free sp->tbuf if setup fails
diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c
index 29535d31ee..80006d5b1b 100644
--- a/third_party/libtiff/tif_pixarlog.c
+++ b/third_party/libtiff/tif_pixarlog.c
@@ -697,6 +697,9 @@ PixarLogSetupDecode(TIFF* tif)
 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
 		sp->user_datafmt = PixarLogGuessDataFmt(td);
 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
+		_TIFFfree(sp->tbuf);
+		sp->tbuf = NULL;
+		sp->tbuf_size = 0;
 		TIFFErrorExt(tif->tif_clientdata, module,
 			"PixarLog compression can't handle bits depth/data format combination (depth: %d)", 
 			td->td_bitspersample);
@@ -704,6 +707,9 @@ PixarLogSetupDecode(TIFF* tif)
 	}
 
 	if (inflateInit(&sp->stream) != Z_OK) {
+		_TIFFfree(sp->tbuf);
+		sp->tbuf = NULL;
+		sp->tbuf_size = 0;
 		TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg);
 		return (0);
 	} else {