From 8e783a6b2c165b5d3dcdf9e4d4c2526ac18c77c8 Mon Sep 17 00:00:00 2001 From: dsinclair Date: Tue, 6 Sep 2016 08:56:46 -0700 Subject: Avoid leaking params if any entry bad. The call to png_set_pCAL can call into png_error for several reasons. This CL verifies that the params are valid before calling into png_set_pCAL. BUG=chromium:636214 Review-Url: https://codereview.chromium.org/2292313003 --- third_party/libpng16/pngset.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) (limited to 'third_party/libpng16/pngset.c') diff --git a/third_party/libpng16/pngset.c b/third_party/libpng16/pngset.c index 303328f87e..1c51270cc5 100644 --- a/third_party/libpng16/pngset.c +++ b/third_party/libpng16/pngset.c @@ -283,17 +283,29 @@ png_set_pCAL(png_const_structrp png_ptr, png_inforp info_ptr, /* Check that the type matches the specification. */ if (type < 0 || type > 3) - png_error(png_ptr, "Invalid pCAL equation type"); + { + png_chunk_report(png_ptr, "Invalid pCAL equation type", + PNG_CHUNK_WRITE_ERROR); + return; + } if (nparams < 0 || nparams > 255) - png_error(png_ptr, "Invalid pCAL parameter count"); + { + png_chunk_report(png_ptr, "Invalid pCAL parameter count", + PNG_CHUNK_WRITE_ERROR); + return; + } /* Validate params[nparams] */ for (i=0; ipcal_purpose = png_voidcast(png_charp, @@ -301,8 +313,8 @@ png_set_pCAL(png_const_structrp png_ptr, png_inforp info_ptr, if (info_ptr->pcal_purpose == NULL) { - png_warning(png_ptr, "Insufficient memory for pCAL purpose"); - + png_chunk_report(png_ptr, "Insufficient memory for pCAL purpose", + PNG_CHUNK_WRITE_ERROR); return; } -- cgit v1.2.3