From 39ee9dfac1c6d286a4075c7e2435fe1cfe365bad Mon Sep 17 00:00:00 2001 From: kcwu Date: Thu, 22 Sep 2016 18:26:22 -0700 Subject: Fix memory leaks in lcms found by libfuzzer Review-Url: https://codereview.chromium.org/2359243003 --- .../0004-memory-leak-Type_Curve_Read.patch | 28 ++++++++++++++++++ .../0005-memory-leak-AllocEmptyTransform.patch | 34 ++++++++++++++++++++++ .../0006-memory-leak-Type_NamedColor_Read.patch | 22 ++++++++++++++ .../0007-memory-leak-OptimizeByResampling.patch | 13 +++++++++ third_party/lcms2-2.6/README.pdfium | 4 +++ third_party/lcms2-2.6/src/cmsopt.c | 2 +- third_party/lcms2-2.6/src/cmstypes.c | 14 ++++++--- third_party/lcms2-2.6/src/cmsxform.c | 9 ++++-- 8 files changed, 118 insertions(+), 8 deletions(-) create mode 100644 third_party/lcms2-2.6/0004-memory-leak-Type_Curve_Read.patch create mode 100644 third_party/lcms2-2.6/0005-memory-leak-AllocEmptyTransform.patch create mode 100644 third_party/lcms2-2.6/0006-memory-leak-Type_NamedColor_Read.patch create mode 100644 third_party/lcms2-2.6/0007-memory-leak-OptimizeByResampling.patch diff --git a/third_party/lcms2-2.6/0004-memory-leak-Type_Curve_Read.patch b/third_party/lcms2-2.6/0004-memory-leak-Type_Curve_Read.patch new file mode 100644 index 0000000000..341a1c6b47 --- /dev/null +++ b/third_party/lcms2-2.6/0004-memory-leak-Type_Curve_Read.patch @@ -0,0 +1,28 @@ +diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c +index 06742b5..9fe5e2a 100644 +--- a/third_party/lcms2-2.6/src/cmstypes.c ++++ b/third_party/lcms2-2.6/src/cmstypes.c +@@ -1112,7 +1112,10 @@ void *Type_Curve_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cm + NewGamma = cmsBuildTabulatedToneCurve16(self ->ContextID, Count, NULL); + if (!NewGamma) return NULL; + +- if (!_cmsReadUInt16Array(io, Count, NewGamma -> Table16)) return NULL; ++ if (!_cmsReadUInt16Array(io, Count, NewGamma -> Table16)) { ++ cmsFreeToneCurve(NewGamma); ++ return NULL; ++ } + + *nItems = 1; + return NewGamma; +@@ -2350,7 +2353,10 @@ cmsStage* ReadCLUT(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsUI + + for (i=0; i < Data ->nEntries; i++) { + +- if (io ->Read(io, &v, sizeof(cmsUInt8Number), 1) != 1) return NULL; ++ if (io ->Read(io, &v, sizeof(cmsUInt8Number), 1) != 1) { ++ cmsStageFree(CLUT); ++ return NULL; ++ } + Data ->Tab.T[i] = FROM_8_TO_16(v); + } + diff --git a/third_party/lcms2-2.6/0005-memory-leak-AllocEmptyTransform.patch b/third_party/lcms2-2.6/0005-memory-leak-AllocEmptyTransform.patch new file mode 100644 index 0000000000..a85a9682bd --- /dev/null +++ b/third_party/lcms2-2.6/0005-memory-leak-AllocEmptyTransform.patch @@ -0,0 +1,34 @@ +diff --git a/third_party/lcms2-2.6/src/cmsxform.c b/third_party/lcms2-2.6/src/cmsxform.c +index eddb9bd..6466d27 100644 +--- a/third_party/lcms2-2.6/src/cmsxform.c ++++ b/third_party/lcms2-2.6/src/cmsxform.c +@@ -593,7 +593,10 @@ _cmsTRANSFORM* AllocEmptyTransform(cmsContext ContextID, cmsPipeline* lut, + + // Allocate needed memory + _cmsTRANSFORM* p = (_cmsTRANSFORM*) _cmsMallocZero(ContextID, sizeof(_cmsTRANSFORM)); +- if (!p) return NULL; ++ if (!p) { ++ cmsPipelineFree(lut); ++ return NULL; ++ } + + // Store the proposed pipeline + p ->Lut = lut; +@@ -643,7 +646,7 @@ _cmsTRANSFORM* AllocEmptyTransform(cmsContext ContextID, cmsPipeline* lut, + if (p ->FromInputFloat == NULL || p ->ToOutputFloat == NULL) { + + cmsSignalError(ContextID, cmsERROR_UNKNOWN_EXTENSION, "Unsupported raster format"); +- _cmsFree(ContextID, p); ++ cmsDeleteTransform(p); + return NULL; + } + +@@ -673,7 +676,7 @@ _cmsTRANSFORM* AllocEmptyTransform(cmsContext ContextID, cmsPipeline* lut, + if (p ->FromInput == NULL || p ->ToOutput == NULL) { + + cmsSignalError(ContextID, cmsERROR_UNKNOWN_EXTENSION, "Unsupported raster format"); +- _cmsFree(ContextID, p); ++ cmsDeleteTransform(p); + return NULL; + } + diff --git a/third_party/lcms2-2.6/0006-memory-leak-Type_NamedColor_Read.patch b/third_party/lcms2-2.6/0006-memory-leak-Type_NamedColor_Read.patch new file mode 100644 index 0000000000..5d25d5a737 --- /dev/null +++ b/third_party/lcms2-2.6/0006-memory-leak-Type_NamedColor_Read.patch @@ -0,0 +1,22 @@ +diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c +index feba387..4d24fc2 100644 +--- a/third_party/lcms2-2.6/src/cmstypes.c ++++ b/third_party/lcms2-2.6/src/cmstypes.c +@@ -3102,7 +3102,7 @@ void *Type_NamedColor_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* i + + if (nDeviceCoords > cmsMAXCHANNELS) { + cmsSignalError(self->ContextID, cmsERROR_RANGE, "Too many device coordinates '%d'", nDeviceCoords); +- return 0; ++ goto Error; + } + for (i=0; i < count; i++) { + +@@ -3111,7 +3111,7 @@ void *Type_NamedColor_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* i + char Root[33]; + + memset(Colorant, 0, sizeof(Colorant)); +- if (io -> Read(io, Root, 32, 1) != 1) return NULL; ++ if (io -> Read(io, Root, 32, 1) != 1) goto Error; + Root[32] = 0; + if (!_cmsReadUInt16Array(io, 3, PCS)) goto Error; + if (!_cmsReadUInt16Array(io, nDeviceCoords, Colorant)) goto Error; diff --git a/third_party/lcms2-2.6/0007-memory-leak-OptimizeByResampling.patch b/third_party/lcms2-2.6/0007-memory-leak-OptimizeByResampling.patch new file mode 100644 index 0000000000..2c55b94fa1 --- /dev/null +++ b/third_party/lcms2-2.6/0007-memory-leak-OptimizeByResampling.patch @@ -0,0 +1,13 @@ +diff --git a/third_party/lcms2-2.6/src/cmsopt.c b/third_party/lcms2-2.6/src/cmsopt.c +index f885ef3..684910d 100644 +--- a/third_party/lcms2-2.6/src/cmsopt.c ++++ b/third_party/lcms2-2.6/src/cmsopt.c +@@ -612,7 +612,7 @@ cmsBool OptimizeByResampling(cmsPipeline** Lut, cmsUInt32Number Intent, cmsUInt3 + + // Allocate the CLUT + CLUT = cmsStageAllocCLut16bit(Src ->ContextID, nGridPoints, Src ->InputChannels, Src->OutputChannels, NULL); +- if (CLUT == NULL) return FALSE; ++ if (CLUT == NULL) goto Error; + + // Add the CLUT to the destination LUT + if (!cmsPipelineInsertStage(Dest, cmsAT_END, CLUT)) { diff --git a/third_party/lcms2-2.6/README.pdfium b/third_party/lcms2-2.6/README.pdfium index 82bdbc60d3..4fcd32b18e 100644 --- a/third_party/lcms2-2.6/README.pdfium +++ b/third_party/lcms2-2.6/README.pdfium @@ -13,4 +13,8 @@ Local Modifications: 0001-from16-to-8-overflow.patch: Prevent a UBSan warning. 0002-infinite-loop-GrowNamedColorList.patch: Fix infinite loop when calling GrowNamedColorList. 0003-uninit.patch: Fix use uninitialized value and stack buffer overflow read. +0004-memory-leak-Type_Curve_Read.patch: Fix memory leak in Type_Curve_Read. +0005-memory-leak-AllocEmptyTransform.patch: Fix memory leak in AllocEmptyTransform. +0006-memory-leak-Type_NamedColor_Read.patch: Fix memory leak in Type_NamedColor_Read. +0007-memory-leak-OptimizeByResampling.patch: Fix memory leak in OptimizeByResampling. TODO(ochang): List other patches. diff --git a/third_party/lcms2-2.6/src/cmsopt.c b/third_party/lcms2-2.6/src/cmsopt.c index f885ef3f60..684910d799 100644 --- a/third_party/lcms2-2.6/src/cmsopt.c +++ b/third_party/lcms2-2.6/src/cmsopt.c @@ -612,7 +612,7 @@ cmsBool OptimizeByResampling(cmsPipeline** Lut, cmsUInt32Number Intent, cmsUInt3 // Allocate the CLUT CLUT = cmsStageAllocCLut16bit(Src ->ContextID, nGridPoints, Src ->InputChannels, Src->OutputChannels, NULL); - if (CLUT == NULL) return FALSE; + if (CLUT == NULL) goto Error; // Add the CLUT to the destination LUT if (!cmsPipelineInsertStage(Dest, cmsAT_END, CLUT)) { diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c index 44c5b87735..441d6bb241 100644 --- a/third_party/lcms2-2.6/src/cmstypes.c +++ b/third_party/lcms2-2.6/src/cmstypes.c @@ -1112,7 +1112,10 @@ void *Type_Curve_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cm NewGamma = cmsBuildTabulatedToneCurve16(self ->ContextID, Count, NULL); if (!NewGamma) return NULL; - if (!_cmsReadUInt16Array(io, Count, NewGamma -> Table16)) return NULL; + if (!_cmsReadUInt16Array(io, Count, NewGamma -> Table16)) { + cmsFreeToneCurve(NewGamma); + return NULL; + } *nItems = 1; return NewGamma; @@ -2350,7 +2353,10 @@ cmsStage* ReadCLUT(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsUI for (i=0; i < Data ->nEntries; i++) { - if (io ->Read(io, &v, sizeof(cmsUInt8Number), 1) != 1) return NULL; + if (io ->Read(io, &v, sizeof(cmsUInt8Number), 1) != 1) { + cmsStageFree(CLUT); + return NULL; + } Data ->Tab.T[i] = FROM_8_TO_16(v); } @@ -3096,7 +3102,7 @@ void *Type_NamedColor_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* i if (nDeviceCoords > cmsMAXCHANNELS) { cmsSignalError(self->ContextID, cmsERROR_RANGE, "Too many device coordinates '%d'", nDeviceCoords); - return 0; + goto Error; } for (i=0; i < count; i++) { @@ -3105,7 +3111,7 @@ void *Type_NamedColor_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* i char Root[33]; memset(Colorant, 0, sizeof(Colorant)); - if (io -> Read(io, Root, 32, 1) != 1) return NULL; + if (io -> Read(io, Root, 32, 1) != 1) goto Error; Root[32] = 0; if (!_cmsReadUInt16Array(io, 3, PCS)) goto Error; if (!_cmsReadUInt16Array(io, nDeviceCoords, Colorant)) goto Error; diff --git a/third_party/lcms2-2.6/src/cmsxform.c b/third_party/lcms2-2.6/src/cmsxform.c index eddb9bd02c..6466d27c3e 100644 --- a/third_party/lcms2-2.6/src/cmsxform.c +++ b/third_party/lcms2-2.6/src/cmsxform.c @@ -593,7 +593,10 @@ _cmsTRANSFORM* AllocEmptyTransform(cmsContext ContextID, cmsPipeline* lut, // Allocate needed memory _cmsTRANSFORM* p = (_cmsTRANSFORM*) _cmsMallocZero(ContextID, sizeof(_cmsTRANSFORM)); - if (!p) return NULL; + if (!p) { + cmsPipelineFree(lut); + return NULL; + } // Store the proposed pipeline p ->Lut = lut; @@ -643,7 +646,7 @@ _cmsTRANSFORM* AllocEmptyTransform(cmsContext ContextID, cmsPipeline* lut, if (p ->FromInputFloat == NULL || p ->ToOutputFloat == NULL) { cmsSignalError(ContextID, cmsERROR_UNKNOWN_EXTENSION, "Unsupported raster format"); - _cmsFree(ContextID, p); + cmsDeleteTransform(p); return NULL; } @@ -673,7 +676,7 @@ _cmsTRANSFORM* AllocEmptyTransform(cmsContext ContextID, cmsPipeline* lut, if (p ->FromInput == NULL || p ->ToOutput == NULL) { cmsSignalError(ContextID, cmsERROR_UNKNOWN_EXTENSION, "Unsupported raster format"); - _cmsFree(ContextID, p); + cmsDeleteTransform(p); return NULL; } -- cgit v1.2.3