From 0630447196b898b60103ca634e5c9d034b9d24d1 Mon Sep 17 00:00:00 2001 From: Nicolas Pena Date: Thu, 26 Jan 2017 15:45:02 -0500 Subject: Fix leak in PredictorSetupDecode by calling tif_cleanup on failure MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit tif_data and tif_cleanup are both set on the TIFFInit methods, see for instance TIFFInitPixarLog. If PredictorSetupDecode fails, whatever was filled on tif_data should be cleaned up. The previous leak fix from PixarLogSetupDecode is no longer necessary. BUG=683834 Change-Id: Ib7dec3fb8addd56fa20f2e85c4ee918222a5f97e Reviewed-on: https://pdfium-review.googlesource.com/2432 Reviewed-by: Tom Sepez Commit-Queue: Nicolás Peña --- .../0018-fix-leak-in-PredictorSetupDecode.patch | 39 ++++++++++++++++++++++ third_party/libtiff/README.pdfium | 1 + third_party/libtiff/tif_pixarlog.c | 6 ---- third_party/libtiff/tif_predict.c | 3 ++ 4 files changed, 43 insertions(+), 6 deletions(-) create mode 100644 third_party/libtiff/0018-fix-leak-in-PredictorSetupDecode.patch (limited to 'third_party/libtiff') diff --git a/third_party/libtiff/0018-fix-leak-in-PredictorSetupDecode.patch b/third_party/libtiff/0018-fix-leak-in-PredictorSetupDecode.patch new file mode 100644 index 0000000000..a18df77409 --- /dev/null +++ b/third_party/libtiff/0018-fix-leak-in-PredictorSetupDecode.patch @@ -0,0 +1,39 @@ +diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c +index 80006d5b1..29535d31e 100644 +--- a/third_party/libtiff/tif_pixarlog.c ++++ b/third_party/libtiff/tif_pixarlog.c +@@ -697,9 +697,6 @@ PixarLogSetupDecode(TIFF* tif) + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) + sp->user_datafmt = PixarLogGuessDataFmt(td); + if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { +- _TIFFfree(sp->tbuf); +- sp->tbuf = NULL; +- sp->tbuf_size = 0; + TIFFErrorExt(tif->tif_clientdata, module, + "PixarLog compression can't handle bits depth/data format combination (depth: %d)", + td->td_bitspersample); +@@ -707,9 +704,6 @@ PixarLogSetupDecode(TIFF* tif) + } + + if (inflateInit(&sp->stream) != Z_OK) { +- _TIFFfree(sp->tbuf); +- sp->tbuf = NULL; +- sp->tbuf_size = 0; + TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg); + return (0); + } else { +diff --git a/third_party/libtiff/tif_predict.c b/third_party/libtiff/tif_predict.c +index 1388dde59..8975672ae 100644 +--- a/third_party/libtiff/tif_predict.c ++++ b/third_party/libtiff/tif_predict.c +@@ -109,7 +109,10 @@ PredictorSetupDecode(TIFF* tif) + TIFFDirectory* td = &tif->tif_dir; + + if (!(*sp->setupdecode)(tif) || !PredictorSetup(tif)) ++ { ++ (*tif->tif_cleanup)(tif); + return 0; ++ } + + if (sp->predictor == 2) { + switch (td->td_bitspersample) { diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index 04f728e3f7..7057a58a87 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -27,3 +27,4 @@ Local Modifications: 0015-fix-leaks-in-tif_ojpeg.patch: fix direct leaks in tif_ojpeg.c methods 0016-fix-leak-in-pixarlogsetupdecode.patch: Free sp->tbuf if setup fails 0017-safe_skews_in_gtTileContig.patch: return error if to/from skews overflow from int32. +0018-fix-leak-in-PredictorSetupDecode.patch: call tif->tif_cleanup if the setup fails. diff --git a/third_party/libtiff/tif_pixarlog.c b/third_party/libtiff/tif_pixarlog.c index 80006d5b1b..29535d31ee 100644 --- a/third_party/libtiff/tif_pixarlog.c +++ b/third_party/libtiff/tif_pixarlog.c @@ -697,9 +697,6 @@ PixarLogSetupDecode(TIFF* tif) if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) sp->user_datafmt = PixarLogGuessDataFmt(td); if (sp->user_datafmt == PIXARLOGDATAFMT_UNKNOWN) { - _TIFFfree(sp->tbuf); - sp->tbuf = NULL; - sp->tbuf_size = 0; TIFFErrorExt(tif->tif_clientdata, module, "PixarLog compression can't handle bits depth/data format combination (depth: %d)", td->td_bitspersample); @@ -707,9 +704,6 @@ PixarLogSetupDecode(TIFF* tif) } if (inflateInit(&sp->stream) != Z_OK) { - _TIFFfree(sp->tbuf); - sp->tbuf = NULL; - sp->tbuf_size = 0; TIFFErrorExt(tif->tif_clientdata, module, "%s", sp->stream.msg); return (0); } else { diff --git a/third_party/libtiff/tif_predict.c b/third_party/libtiff/tif_predict.c index 1388dde59c..8975672aec 100644 --- a/third_party/libtiff/tif_predict.c +++ b/third_party/libtiff/tif_predict.c @@ -109,7 +109,10 @@ PredictorSetupDecode(TIFF* tif) TIFFDirectory* td = &tif->tif_dir; if (!(*sp->setupdecode)(tif) || !PredictorSetup(tif)) + { + (*tif->tif_cleanup)(tif); return 0; + } if (sp->predictor == 2) { switch (td->td_bitspersample) { -- cgit v1.2.3