Fix memory leak if eXIf has incorrect crc

Change eb6767 from upstream repo.

Fixes oss-fuzz issue 23376.

[ChangeLog][Third-Party Code][libpng] Fix for possible memory leak in
libpng was backported.

Change-Id: Id0c2f8b8bd60438ae8b5a61c83b6e50d55c6eb65
Pick-to: 6.2 6.1 5.15
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

2 files changed, 19 insertions, 4 deletions

diff --git a/src/3rdparty/libpng/pngrutil.c b/src/3rdparty/libpng/pngrutil.c
index d5fa08c397..4db3de990b 100644
--- a/src/3rdparty/libpng/pngrutil.c
+++ b/src/3rdparty/libpng/pngrutil.c
@@ -2087,10 +2087,8 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
       }
    }
 
-   if (png_crc_finish(png_ptr, 0) != 0)
-      return;
-
-   png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
+   if (png_crc_finish(png_ptr, 0) == 0)
+      png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
 
    png_free(png_ptr, info_ptr->eXIf_buf);
    info_ptr->eXIf_buf = NULL;
diff --git a/src/3rdparty/libpng/qtpatches.diff b/src/3rdparty/libpng/qtpatches.diff
index f90558103b..b2bdb1475d 100644
--- a/src/3rdparty/libpng/qtpatches.diff
+++ b/src/3rdparty/libpng/qtpatches.diff
@@ -43,3 +43,20 @@ index 583c26f9bd..2ab9b70d73 100644
  #    define PNG_ABORT() ExitProcess(0)
  #  else
  #    define PNG_ABORT() abort()
+diff --git a/src/3rdparty/libpng/pngrutil.c b/src/3rdparty/libpng/pngrutil.c
+index d5fa08c397..4db3de990b 100644
+--- a/src/3rdparty/libpng/pngrutil.c
++++ b/src/3rdparty/libpng/pngrutil.c
+@@ -2087,10 +2087,8 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
+       }
+    }
+ 
+-   if (png_crc_finish(png_ptr, 0) != 0)
+-      return;
+-
+-   png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
++   if (png_crc_finish(png_ptr, 0) == 0)
++      png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
+ 
+    png_free(png_ptr, info_ptr->eXIf_buf);
+    info_ptr->eXIf_buf = NULL;