From 0630447196b898b60103ca634e5c9d034b9d24d1 Mon Sep 17 00:00:00 2001
From: Nicolas Pena <npm@chromium.org>
Date: Thu, 26 Jan 2017 15:45:02 -0500
Subject: Fix leak in PredictorSetupDecode by calling tif_cleanup on failure
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

tif_data and tif_cleanup are both set on the TIFFInit methods, see for
instance TIFFInitPixarLog. If PredictorSetupDecode fails, whatever was
filled on tif_data should be cleaned up. The previous leak fix from
PixarLogSetupDecode is no longer necessary.

BUG=683834

Change-Id: Ib7dec3fb8addd56fa20f2e85c4ee918222a5f97e
Reviewed-on: https://pdfium-review.googlesource.com/2432
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Nicolás Peña <npm@chromium.org>
---
 .../0018-fix-leak-in-PredictorSetupDecode.patch    | 39 ++++++++++++++++++++++
 third_party/libtiff/README.pdfium                  |  1 +
 third_party/libtiff/tif_pixarlog.c                 |  6 ----
 third_party/libtiff/tif_predict.c                  |  3 ++
 4 files changed, 43 insertions(+), 6 deletions(-)
 create mode 100644 third_party/libtiff/0018-fix-leak-in-PredictorSetupDecode.patch

(limited to 'third_party/libtiff')

diff --git a/third_party/libtiff/0018-fix-leak-in-PredictorSetupDecode.patch b/third_party/libtiff/0018-fix-leak-in-PredictorSetupDecode.patch
new file mode 100644
index 0000000000..a18df77409
--- /dev/null
+++ b/third_party/libtiff/0018-fix-leak-in-PredictorSetupDecode.patch
@@ -0,0 +1,39 @@
+diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c
+index 80006d5b1..29535d31e 100644
+--- a/third_party/libtiff/tif_pixarlog.c
++++ b/third_party/libtiff/tif_pixarlog.c
+@@ -697,9 +697,6 @@ PixarLogSetupDecode(TIFF* tif)
+        if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
+                sp->user_datafmt = PixarLogGuessDataFmt(td);
+        if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
+-               _TIFFfree(sp->tbuf);
+-               sp->tbuf = NULL;
+-               sp->tbuf_size = 0;
+                TIFFErrorExt(tif->tif_clientdata, module,
+                        "PixarLog compression can't handle bits depth/data format combination (depth: %d)", 
+                        td->td_bitspersample);
+@@ -707,9 +704,6 @@ PixarLogSetupDecode(TIFF* tif)
+        }
+ 
+        if (inflateInit(&sp->stream) != Z_OK) {
+-               _TIFFfree(sp->tbuf);
+-               sp->tbuf = NULL;
+-               sp->tbuf_size = 0;
+                TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg);
+                return (0);
+        } else {
+diff --git a/third_party/libtiff/tif_predict.c b/third_party/libtiff/tif_predict.c
+index 1388dde59..8975672ae 100644
+--- a/third_party/libtiff/tif_predict.c
++++ b/third_party/libtiff/tif_predict.c
+@@ -109,7 +109,10 @@ PredictorSetupDecode(TIFF* tif)
+        TIFFDirectory* td = &tif->tif_dir;
+ 
+        if (!(*sp->setupdecode)(tif) || !PredictorSetup(tif))
++       {
++               (*tif->tif_cleanup)(tif);
+                return 0;
++       }
+ 
+        if (sp->predictor == 2) {
+                switch (td->td_bitspersample) {
diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium
index 04f728e3f7..7057a58a87 100644
--- a/third_party/libtiff/README.pdfium
+++ b/third_party/libtiff/README.pdfium
@@ -27,3 +27,4 @@ Local Modifications:
 0015-fix-leaks-in-tif_ojpeg.patch: fix direct leaks in tif_ojpeg.c methods
 0016-fix-leak-in-pixarlogsetupdecode.patch: Free sp->tbuf if setup fails
 0017-safe_skews_in_gtTileContig.patch: return error if to/from skews overflow from int32.
+0018-fix-leak-in-PredictorSetupDecode.patch: call tif->tif_cleanup if the setup fails.
diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c
index 80006d5b1b..29535d31ee 100644
--- a/third_party/libtiff/tif_pixarlog.c
+++ b/third_party/libtiff/tif_pixarlog.c
@@ -697,9 +697,6 @@ PixarLogSetupDecode(TIFF* tif)
 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN)
 		sp->user_datafmt = PixarLogGuessDataFmt(td);
 	if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) {
-		_TIFFfree(sp->tbuf);
-		sp->tbuf = NULL;
-		sp->tbuf_size = 0;
 		TIFFErrorExt(tif->tif_clientdata, module,
 			"PixarLog compression can't handle bits depth/data format combination (depth: %d)", 
 			td->td_bitspersample);
@@ -707,9 +704,6 @@ PixarLogSetupDecode(TIFF* tif)
 	}
 
 	if (inflateInit(&sp->stream) != Z_OK) {
-		_TIFFfree(sp->tbuf);
-		sp->tbuf = NULL;
-		sp->tbuf_size = 0;
 		TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg);
 		return (0);
 	} else {
diff --git a/third_party/libtiff/tif_predict.c b/third_party/libtiff/tif_predict.c
index 1388dde59c..8975672aec 100644
--- a/third_party/libtiff/tif_predict.c
+++ b/third_party/libtiff/tif_predict.c
@@ -109,7 +109,10 @@ PredictorSetupDecode(TIFF* tif)
 	TIFFDirectory* td = &tif->tif_dir;
 
 	if (!(*sp->setupdecode)(tif) || !PredictorSetup(tif))
+	{
+		(*tif->tif_cleanup)(tif);
 		return 0;
+	}
 
 	if (sp->predictor == 2) {
 		switch (td->td_bitspersample) {
-- 
cgit v1.2.3