diff options
author | Robert Löhning <robert.loehning@qt.io> | 2021-07-28 20:48:45 +0200 |
---|---|---|
committer | Robert Löhning <robert.loehning@qt.io> | 2021-08-10 18:52:41 +0000 |
commit | 76e2409cc908d1fa6ee6c7ff61b699594244bf6c (patch) | |
tree | 963f18a388d08f0c577f70ddc4db31b9d5448866 /src/3rdparty/libpng | |
parent | 472520afb9081856a2556c7df221c084a42a2d42 (diff) |
Fix memory leak if eXIf has incorrect crc
Change eb6767 from upstream repo.
Fixes oss-fuzz issue 23376.
[ChangeLog][Third-Party Code][libpng] Fix for possible memory leak in
libpng was backported.
Change-Id: Id0c2f8b8bd60438ae8b5a61c83b6e50d55c6eb65
Pick-to: 6.2 6.1 5.15
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Diffstat (limited to 'src/3rdparty/libpng')
-rw-r--r-- | src/3rdparty/libpng/pngrutil.c | 6 | ||||
-rw-r--r-- | src/3rdparty/libpng/qtpatches.diff | 17 |
2 files changed, 19 insertions, 4 deletions
diff --git a/src/3rdparty/libpng/pngrutil.c b/src/3rdparty/libpng/pngrutil.c index d5fa08c397..4db3de990b 100644 --- a/src/3rdparty/libpng/pngrutil.c +++ b/src/3rdparty/libpng/pngrutil.c @@ -2087,10 +2087,8 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) } } - if (png_crc_finish(png_ptr, 0) != 0) - return; - - png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf); + if (png_crc_finish(png_ptr, 0) == 0) + png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf); png_free(png_ptr, info_ptr->eXIf_buf); info_ptr->eXIf_buf = NULL; diff --git a/src/3rdparty/libpng/qtpatches.diff b/src/3rdparty/libpng/qtpatches.diff index f90558103b..b2bdb1475d 100644 --- a/src/3rdparty/libpng/qtpatches.diff +++ b/src/3rdparty/libpng/qtpatches.diff @@ -43,3 +43,20 @@ index 583c26f9bd..2ab9b70d73 100644 # define PNG_ABORT() ExitProcess(0) # else # define PNG_ABORT() abort() +diff --git a/src/3rdparty/libpng/pngrutil.c b/src/3rdparty/libpng/pngrutil.c +index d5fa08c397..4db3de990b 100644 +--- a/src/3rdparty/libpng/pngrutil.c ++++ b/src/3rdparty/libpng/pngrutil.c +@@ -2087,10 +2087,8 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) + } + } + +- if (png_crc_finish(png_ptr, 0) != 0) +- return; +- +- png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf); ++ if (png_crc_finish(png_ptr, 0) == 0) ++ png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf); + + png_free(png_ptr, info_ptr->eXIf_buf); + info_ptr->eXIf_buf = NULL; |