From 5756a77fa289ce1ef18bd7f2da75a39575ead9fe Mon Sep 17 00:00:00 2001 From: kcwu Date: Mon, 7 Nov 2016 08:42:15 -0800 Subject: lcms: Fix memory leak in ReadSegmentedCurve BUG=chromium:658223 Review-Url: https://codereview.chromium.org/2480013002 --- .../0011-memory-leak-ReadSegmentedCurve.patch | 36 ++++++++++++++++++++++ third_party/lcms2-2.6/README.pdfium | 1 + third_party/lcms2-2.6/src/cmstypes.c | 11 +++++-- 3 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 third_party/lcms2-2.6/0011-memory-leak-ReadSegmentedCurve.patch diff --git a/third_party/lcms2-2.6/0011-memory-leak-ReadSegmentedCurve.patch b/third_party/lcms2-2.6/0011-memory-leak-ReadSegmentedCurve.patch new file mode 100644 index 0000000000..a6cfe02b8c --- /dev/null +++ b/third_party/lcms2-2.6/0011-memory-leak-ReadSegmentedCurve.patch @@ -0,0 +1,36 @@ +diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c +index 15199c7..04dd0c4 100644 +--- a/third_party/lcms2-2.6/src/cmstypes.c ++++ b/third_party/lcms2-2.6/src/cmstypes.c +@@ -3968,7 +3968,7 @@ cmsToneCurve* ReadSegmentedCurve(struct _cms_typehandler_struct* self, cmsIOHAND + case cmsSigSampledCurveSeg: { + cmsUInt32Number Count; + +- if (!_cmsReadUInt32Number(io, &Count)) return NULL; ++ if (!_cmsReadUInt32Number(io, &Count)) goto Error; + + Segments[i].nGridPoints = Count; + Segments[i].SampledPoints = (cmsFloat32Number*) _cmsCalloc(self ->ContextID, Count, sizeof(cmsFloat32Number)); +@@ -3987,7 +3987,7 @@ cmsToneCurve* ReadSegmentedCurve(struct _cms_typehandler_struct* self, cmsIOHAND + _cmsTagSignature2String(String, (cmsTagSignature) ElementSig); + cmsSignalError(self->ContextID, cmsERROR_UNKNOWN_EXTENSION, "Unknown curve element type '%s' found.", String); + } +- return NULL; ++ goto Error; + + } + } +@@ -4001,7 +4001,12 @@ cmsToneCurve* ReadSegmentedCurve(struct _cms_typehandler_struct* self, cmsIOHAND + return Curve; + + Error: +- if (Segments) _cmsFree(self ->ContextID, Segments); ++ if (Segments) { ++ for (i=0; i < nSegments; i++) { ++ if (Segments[i].SampledPoints) _cmsFree(self ->ContextID, Segments[i].SampledPoints); ++ } ++ _cmsFree(self ->ContextID, Segments); ++ } + return NULL; + } + diff --git a/third_party/lcms2-2.6/README.pdfium b/third_party/lcms2-2.6/README.pdfium index 60934f61b1..b0d5e3e000 100644 --- a/third_party/lcms2-2.6/README.pdfium +++ b/third_party/lcms2-2.6/README.pdfium @@ -20,4 +20,5 @@ Local Modifications: 0008-memory-leak-Type_MPEmatrix_Read.patch: Fix memory leak in MPEmatrix_Read. 0009-cmsStageAllocMatrix-param-swap.patch: Fix rows/cols swap in cmsStageAllocMatrix. 0010-reject-nan.patch: Reject NaN when reading float numbers. +0011-memory-leak-ReadSegmentedCurve.patch: Fix memory leak in ReadSegmentedCurve. TODO(ochang): List other patches. diff --git a/third_party/lcms2-2.6/src/cmstypes.c b/third_party/lcms2-2.6/src/cmstypes.c index 15199c7084..04dd0c4e00 100644 --- a/third_party/lcms2-2.6/src/cmstypes.c +++ b/third_party/lcms2-2.6/src/cmstypes.c @@ -3968,7 +3968,7 @@ cmsToneCurve* ReadSegmentedCurve(struct _cms_typehandler_struct* self, cmsIOHAND case cmsSigSampledCurveSeg: { cmsUInt32Number Count; - if (!_cmsReadUInt32Number(io, &Count)) return NULL; + if (!_cmsReadUInt32Number(io, &Count)) goto Error; Segments[i].nGridPoints = Count; Segments[i].SampledPoints = (cmsFloat32Number*) _cmsCalloc(self ->ContextID, Count, sizeof(cmsFloat32Number)); @@ -3987,7 +3987,7 @@ cmsToneCurve* ReadSegmentedCurve(struct _cms_typehandler_struct* self, cmsIOHAND _cmsTagSignature2String(String, (cmsTagSignature) ElementSig); cmsSignalError(self->ContextID, cmsERROR_UNKNOWN_EXTENSION, "Unknown curve element type '%s' found.", String); } - return NULL; + goto Error; } } @@ -4001,7 +4001,12 @@ cmsToneCurve* ReadSegmentedCurve(struct _cms_typehandler_struct* self, cmsIOHAND return Curve; Error: - if (Segments) _cmsFree(self ->ContextID, Segments); + if (Segments) { + for (i=0; i < nSegments; i++) { + if (Segments[i].SampledPoints) _cmsFree(self ->ContextID, Segments[i].SampledPoints); + } + _cmsFree(self ->ContextID, Segments); + } return NULL; } -- cgit v1.2.3