From 352b6971deeb8e7438b6880fd4a26fd3f9382c47 Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Wed, 18 Jan 2017 14:28:00 -0500 Subject: Fix leak in PixarLogSetupDecode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The call may come from TIFFReadRGBAImageOriented, and there no cleanup is done. So free the memory allocation on failure. BUG=681301 Change-Id: I4ac7db03d18eddd3117649ca185dffdcc9189870 Reviewed-on: https://pdfium-review.googlesource.com/2252 Reviewed-by: dsinclair Reviewed-by: Tom Sepez Commit-Queue: Nicolás Peña --- .../libtiff/0015-fix-leaks-in-tif_ojpeg.diff | 37 ---------------------- .../libtiff/0015-fix-leaks-in-tif_ojpeg.patch | 37 ++++++++++++++++++++++ .../0016-fix-leak-in-pixarlogsetupdecode.patch | 24 ++++++++++++++ third_party/libtiff/README.pdfium | 3 +- third_party/libtiff/tif_pixarlog.c | 6 ++++ 5 files changed, 69 insertions(+), 38 deletions(-) delete mode 100644 third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.diff create mode 100644 third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.patch create mode 100644 third_party/libtiff/0016-fix-leak-in-pixarlogsetupdecode.patch diff --git a/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.diff b/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.diff deleted file mode 100644 index e9d3a408bf..0000000000 --- a/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.diff +++ /dev/null @@ -1,37 +0,0 @@ -diff --git a/third_party/libtiff/tif_ojpeg.c b/third_party/libtiff/tif_ojpeg.c -index cc5449cd6..f69b00148 100644 ---- a/third_party/libtiff/tif_ojpeg.c -+++ b/third_party/libtiff/tif_ojpeg.c -@@ -1790,7 +1790,10 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF* tif) - TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET); - p=TIFFReadFile(tif,&ob[sizeof(uint32)+5],64); - if (p!=64) -+ { -+ _TIFFfree(ob); - return(0); -+ } - sp->qtable[m]=ob; - sp->sof_tq[m]=m; - } -@@ -1854,7 +1857,10 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF* tif) - rb[sizeof(uint32)+5+n]=o[n]; - p=TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); - if (p!=q) -+ { -+ _TIFFfree(rb); - return(0); -+ } - sp->dctable[m]=rb; - sp->sos_tda[m]=(m<<4); - } -@@ -1918,7 +1924,10 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF* tif) - rb[sizeof(uint32)+5+n]=o[n]; - p=TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); - if (p!=q) -+ { -+ _TIFFfree(rb); - return(0); -+ } - sp->actable[m]=rb; - sp->sos_tda[m]=(sp->sos_tda[m]|m); - } diff --git a/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.patch b/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.patch new file mode 100644 index 0000000000..e9d3a408bf --- /dev/null +++ b/third_party/libtiff/0015-fix-leaks-in-tif_ojpeg.patch @@ -0,0 +1,37 @@ +diff --git a/third_party/libtiff/tif_ojpeg.c b/third_party/libtiff/tif_ojpeg.c +index cc5449cd6..f69b00148 100644 +--- a/third_party/libtiff/tif_ojpeg.c ++++ b/third_party/libtiff/tif_ojpeg.c +@@ -1790,7 +1790,10 @@ OJPEGReadHeaderInfoSecTablesQTable(TIFF* tif) + TIFFSeekFile(tif,sp->qtable_offset[m],SEEK_SET); + p=TIFFReadFile(tif,&ob[sizeof(uint32)+5],64); + if (p!=64) ++ { ++ _TIFFfree(ob); + return(0); ++ } + sp->qtable[m]=ob; + sp->sof_tq[m]=m; + } +@@ -1854,7 +1857,10 @@ OJPEGReadHeaderInfoSecTablesDcTable(TIFF* tif) + rb[sizeof(uint32)+5+n]=o[n]; + p=TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); + if (p!=q) ++ { ++ _TIFFfree(rb); + return(0); ++ } + sp->dctable[m]=rb; + sp->sos_tda[m]=(m<<4); + } +@@ -1918,7 +1924,10 @@ OJPEGReadHeaderInfoSecTablesAcTable(TIFF* tif) + rb[sizeof(uint32)+5+n]=o[n]; + p=TIFFReadFile(tif,&(rb[sizeof(uint32)+21]),q); + if (p!=q) ++ { ++ _TIFFfree(rb); + return(0); ++ } + sp->actable[m]=rb; + sp->sos_tda[m]=(sp->sos_tda[m]|m); + } diff --git a/third_party/libtiff/0016-fix-leak-in-pixarlogsetupdecode.patch b/third_party/libtiff/0016-fix-leak-in-pixarlogsetupdecode.patch new file mode 100644 index 0000000000..c49e676c34 --- /dev/null +++ b/third_party/libtiff/0016-fix-leak-in-pixarlogsetupdecode.patch @@ -0,0 +1,24 @@ +diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c +index 29535d31e..80006d5b1 100644 +--- a/third_party/libtiff/tif_pixarlog.c ++++ b/third_party/libtiff/tif_pixarlog.c +@@ -697,6 +697,9 @@ PixarLogSetupDecode(TIFF* tif) + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) + sp->user_datafmt = PixarLogGuessDataFmt(td); + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { ++ _TIFFfree(sp->tbuf); ++ sp->tbuf = NULL; ++ sp->tbuf_size = 0; + TIFFErrorExt(tif->tif_clientdata, module, + "PixarLog compression can't handle bits depth/data format combination (depth: %d)", + td->td_bitspersample); +@@ -704,6 +707,9 @@ PixarLogSetupDecode(TIFF* tif) + } + + if (inflateInit(&sp->stream) != Z_OK) { ++ _TIFFfree(sp->tbuf); ++ sp->tbuf = NULL; ++ sp->tbuf_size = 0; + TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg); + return (0); + } else { diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index cc50be73e6..23c8450eff 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -24,4 +24,5 @@ Local Modifications: 0012-initialize-tif-rawdata.patch: Initialize tif_rawdata to guard against unitialized access 0013-validate-refblackwhite.patch: Make sure the refblackwhite values aren't nan. 0014-cast-to-unsigned-in-putagreytile.patch: casting to avoid undefined shifts. -0015-fix-leaks-in-tif_ojpeg.diff: fix direct leaks in tif_ojpeg.c methods +0015-fix-leaks-in-tif_ojpeg.patch: fix direct leaks in tif_ojpeg.c methods +0016-fix-leak-in-pixarlogsetupdecode.patch: Free sp->tbuf if setup fails diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c index 29535d31ee..80006d5b1b 100644 --- a/third_party/libtiff/tif_pixarlog.c +++ b/third_party/libtiff/tif_pixarlog.c @@ -697,6 +697,9 @@ PixarLogSetupDecode(TIFF* tif) if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) sp->user_datafmt = PixarLogGuessDataFmt(td); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { + _TIFFfree(sp->tbuf); + sp->tbuf = NULL; + sp->tbuf_size = 0; TIFFErrorExt(tif->tif_clientdata, module, "PixarLog compression can't handle bits depth/data format combination (depth: %d)", td->td_bitspersample); @@ -704,6 +707,9 @@ PixarLogSetupDecode(TIFF* tif) } if (inflateInit(&sp->stream) != Z_OK) { + _TIFFfree(sp->tbuf); + sp->tbuf = NULL; + sp->tbuf_size = 0; TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg); return (0); } else { -- cgit v1.2.3