From 0b6447a7231b5263d10f2bd9be3088f93af9629f Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Thu, 23 Feb 2017 15:55:32 -0500 Subject: Libtiff: fix leaking tables in tif_ojpeg.c MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Tables should be freed before they are reassigned. This CL fixes the three places where this is not happening. BUG=694599 Change-Id: I4e7cf1a6354b1129ecaf7ddcc74d8a36ba289df7 Reviewed-on: https://pdfium-review.googlesource.com/2830 Reviewed-by: Tom Sepez Commit-Queue: Nicolás Peña --- .../0021-fix-leaks-ojpegreaderinfosectables.patch | 31 ++++++++++++++++++++++ third_party/libtiff/README.pdfium | 1 + third_party/libtiff/tif_ojpeg.c | 6 +++++ 3 files changed, 38 insertions(+) create mode 100644 third_party/libtiff/0021-fix-leaks-ojpegreaderinfosectables.patch diff --git a/third_party/libtiff/0021-fix-leaks-ojpegreaderinfosectables.patch b/third_party/libtiff/0021-fix-leaks-ojpegreaderinfosectables.patch new file mode 100644 index 0000000000..13aef44d91 --- /dev/null +++ b/third_party/libtiff/0021-fix-leaks-ojpegreaderinfosectables.patch @@ -0,0 +1,31 @@ +diff --git a/third_party/libtiff/tif_ojpeg.c b/third_party/libtiff/tif_ojpeg.c +index f69b00148..1a700d5bc 100644 +--- a/third_party/libtiff/tif_ojpeg.c ++++ b/third_party/libtiff/tif_ojpeg.c +@@ -1794,6 +1794,8 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF* tif) + _TIFFfree(ob); + return(0); + } ++ if(sp->qtable[m]!=0) ++ _TIFFfree(sp->qtable[m]); + sp->qtable[m]=ob; + sp->sof_tq[m]=m; + } +@@ -1861,6 +1863,8 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF* tif) + _TIFFfree(rb); + return(0); + } ++ if(sp->dctable[m]!=0) ++ _TIFFfree(sp->dctable[m]); + sp->dctable[m]=rb; + sp->sos_tda[m]=(m<<4); + } +@@ -1928,6 +1932,8 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF* tif) + _TIFFfree(rb); + return(0); + } ++ if(sp->actable[m]) ++ _TIFFfree(sp->actable[m]); + sp->actable[m]=rb; + sp->sos_tda[m]=(sp->sos_tda[m]|m); + } diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index 219b3a73b0..e4436d21fd 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -30,3 +30,4 @@ Local Modifications: 0018-fix-leak-in-PredictorSetupDecode.patch: call tif->tif_cleanup if the setup fails. 0019-fix-invalid-reads-TIFFFetchNormalTag.patch: upstream security fix in tif_dirread. 0020-unreasonable-td-bitspersample.patch: upstream patch ignoring large td_bitspersample. +0021-fix-leaks-ojpegreaderinfosectables.patch: more direct leak fixes in tif_ojpeg.c. diff --git a/third_party/libtiff/tif_ojpeg.c b/third_party/libtiff/tif_ojpeg.c index f69b00148c..1a700d5bc2 100644 --- a/third_party/libtiff/tif_ojpeg.c +++ b/third_party/libtiff/tif_ojpeg.c @@ -1794,6 +1794,8 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF* tif) _TIFFfree(ob); return(0); } + if(sp->qtable[m]!=0) + _TIFFfree(sp->qtable[m]); sp->qtable[m]=ob; sp->sof_tq[m]=m; } @@ -1861,6 +1863,8 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF* tif) _TIFFfree(rb); return(0); } + if(sp->dctable[m]!=0) + _TIFFfree(sp->dctable[m]); sp->dctable[m]=rb; sp->sos_tda[m]=(m<<4); } @@ -1928,6 +1932,8 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF* tif) _TIFFfree(rb); return(0); } + if(sp->actable[m]) + _TIFFfree(sp->actable[m]); sp->actable[m]=rb; sp->sos_tda[m]=(sp->sos_tda[m]|m); } -- cgit v1.2.3