Fix leak in PredictorSetupDecode by calling tif_cleanup on failure

tif_data and tif_cleanup are both set on the TIFFInit methods, see for instance TIFFInitPixarLog. If PredictorSetupDecode fails, whatever was filled on tif_data should be cleaned up. The previous leak fix from PixarLogSetupDecode is no longer necessary. BUG=683834 Change-Id: Ib7dec3fb8addd56fa20f2e85c4ee918222a5f97e Reviewed-on: https://pdfium-review.googlesource.com/2432 Reviewed-by: Tom Sepez <tsepez@chromium.org> Commit-Queue: Nicolás Peña <npm@chromium.org>
author: Nicolas Pena <npm@chromium.org> 2017-01-26 15:45:02 -0500
committer: Chromium commit bot <commit-bot@chromium.org> 2017-01-26 22:24:08 +0000
commit: 0630447196b898b60103ca634e5c9d034b9d24d1 (patch)
tree: 61bd5749483cca95d1c33a8b336a0ec9a58201ca /third_party
parent: 0370d6b8aab1b7880dd2727e7d9aed04cc358360 (diff)
download: pdfium-0630447196b898b60103ca634e5c9d034b9d24d1.tar.xz
4 files changed, 43 insertions, 6 deletions
diff --git a/third_party/libtiff/0018-fix-leak-in-PredictorSetupDecode.patch b/third_party/libtiff/0018-fix-leak-in-PredictorSetupDecode.patch
new file mode 100644
index 0000000000..a18df77409
--- /dev/null
+++ b/third_party/libtiff/0018-fix-leak-in-PredictorSetupDecode.patch
@@ -0,0 +1,39 @@
+diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c
+index 80006d5b1..29535d31e 100644
+--- a/third_party/libtiff/tif_pixarlog.c
++++ b/third_party/libtiff/tif_pixarlog.c
+@@ -697,9 +697,6 @@ PixarLogSetupDecode(TIFF* tif)
+        if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
+                sp->user_datafmt = PixarLogGuessDataFmt(td);
+        if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
+-               _TIFFfree(sp->tbuf);
+-               sp->tbuf = NULL;
+-               sp->tbuf_size = 0;
+                TIFFErrorExt(tif->tif_clientdata, module,
+                        "PixarLog compression can't handle bits depth/data format combination (depth: %d)", 
+                        td->td_bitspersample);
+@@ -707,9 +704,6 @@ PixarLogSetupDecode(TIFF* tif)
+        }
+ 
+        if (inflateInit(&sp->stream) != Z_OK) {
+-               _TIFFfree(sp->tbuf);
+-               sp->tbuf = NULL;
+-               sp->tbuf_size = 0;
+                TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg);
+                return (0);
+        } else {
+diff --git a/third_party/libtiff/tif_predict.c b/third_party/libtiff/tif_predict.c
+index 1388dde59..8975672ae 100644
+--- a/third_party/libtiff/tif_predict.c
++++ b/third_party/libtiff/tif_predict.c
+@@ -109,7 +109,10 @@ PredictorSetupDecode(TIFF* tif)
+        TIFFDirectory* td = &tif->tif_dir;
+ 
+        if (!(*sp->setupdecode)(tif) || !PredictorSetup(tif))
++       {
++               (*tif->tif_cleanup)(tif);
+                return 0;
++       }
+ 
+        if (sp->predictor == 2) {
+                switch (td->td_bitspersample) {
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 04f728e3f7..7057a58a87 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -27,3 +27,4 @@ Local Modifications:
 0015-fix-leaks-in-tif_ojpeg.patch: fix direct leaks in tif_ojpeg.c methods
 0016-fix-leak-in-pixarlogsetupdecode.patch: Free sp->tbuf if setup fails
 0017-safe_skews_in_gtTileContig.patch: return error if to/from skews overflow from int32.
+0018-fix-leak-in-PredictorSetupDecode.patch: call tif->tif_cleanup if the setup fails.
diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c
index 80006d5b1b..29535d31ee 100644
--- a/third_party/libtiff/tif_pixarlog.c
+++ b/third_party/libtiff/tif_pixarlog.c
@@ -697,9 +697,6 @@ PixarLogSetupDecode(TIFF* tif)
 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
 		sp->user_datafmt = PixarLogGuessDataFmt(td);
 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
-		_TIFFfree(sp->tbuf);
-		sp->tbuf = NULL;
-		sp->tbuf_size = 0;
 		TIFFErrorExt(tif->tif_clientdata, module,
 			"PixarLog compression can't handle bits depth/data format combination (depth: %d)", 
 			td->td_bitspersample);
@@ -707,9 +704,6 @@ PixarLogSetupDecode(TIFF* tif)
 	}
 
 	if (inflateInit(&sp->stream) != Z_OK) {
-		_TIFFfree(sp->tbuf);
-		sp->tbuf = NULL;
-		sp->tbuf_size = 0;
 		TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg);
 		return (0);
 	} else {
diff --git a/third_party/libtiff/tif_predict.c b/third_party/libtiff/tif_predict.c
index 1388dde59c..8975672aec 100644
--- a/third_party/libtiff/tif_predict.c
+++ b/third_party/libtiff/tif_predict.c
@@ -109,7 +109,10 @@ PredictorSetupDecode(TIFF* tif)
 	TIFFDirectory* td = &tif->tif_dir;
 
 	if (!(*sp->setupdecode)(tif) || !PredictorSetup(tif))
+	{
+		(*tif->tif_cleanup)(tif);
 		return 0;
+	}
 
 	if (sp->predictor == 2) {
 		switch (td->td_bitspersample) {
author	Nicolas Pena <npm@chromium.org>	2017-01-26 15:45:02 -0500
committer	Chromium commit bot <commit-bot@chromium.org>	2017-01-26 22:24:08 +0000
commit	0630447196b898b60103ca634e5c9d034b9d24d1 (patch)
tree	61bd5749483cca95d1c33a8b336a0ec9a58201ca /third_party
parent	0370d6b8aab1b7880dd2727e7d9aed04cc358360 (diff)
download	pdfium-0630447196b898b60103ca634e5c9d034b9d24d1.tar.xz