From 76e2409cc908d1fa6ee6c7ff61b699594244bf6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20L=C3=B6hning?= <robert.loehning@qt.io>
Date: Wed, 28 Jul 2021 20:48:45 +0200
Subject: Fix memory leak if eXIf has incorrect crc

Change eb6767 from upstream repo.

Fixes oss-fuzz issue 23376.

[ChangeLog][Third-Party Code][libpng] Fix for possible memory leak in
libpng was backported.

Change-Id: Id0c2f8b8bd60438ae8b5a61c83b6e50d55c6eb65
Pick-to: 6.2 6.1 5.15
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
 src/3rdparty/libpng/pngrutil.c     |  6 ++----
 src/3rdparty/libpng/qtpatches.diff | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 4 deletions(-)

(limited to 'src/3rdparty/libpng')

diff --git a/src/3rdparty/libpng/pngrutil.c b/src/3rdparty/libpng/pngrutil.c
index d5fa08c397..4db3de990b 100644
--- a/src/3rdparty/libpng/pngrutil.c
+++ b/src/3rdparty/libpng/pngrutil.c
@@ -2087,10 +2087,8 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
       }
    }
 
-   if (png_crc_finish(png_ptr, 0) != 0)
-      return;
-
-   png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
+   if (png_crc_finish(png_ptr, 0) == 0)
+      png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
 
    png_free(png_ptr, info_ptr->eXIf_buf);
    info_ptr->eXIf_buf = NULL;
diff --git a/src/3rdparty/libpng/qtpatches.diff b/src/3rdparty/libpng/qtpatches.diff
index f90558103b..b2bdb1475d 100644
--- a/src/3rdparty/libpng/qtpatches.diff
+++ b/src/3rdparty/libpng/qtpatches.diff
@@ -43,3 +43,20 @@ index 583c26f9bd..2ab9b70d73 100644
  #    define PNG_ABORT() ExitProcess(0)
  #  else
  #    define PNG_ABORT() abort()
+diff --git a/src/3rdparty/libpng/pngrutil.c b/src/3rdparty/libpng/pngrutil.c
+index d5fa08c397..4db3de990b 100644
+--- a/src/3rdparty/libpng/pngrutil.c
++++ b/src/3rdparty/libpng/pngrutil.c
+@@ -2087,10 +2087,8 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
+       }
+    }
+ 
+-   if (png_crc_finish(png_ptr, 0) != 0)
+-      return;
+-
+-   png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
++   if (png_crc_finish(png_ptr, 0) == 0)
++      png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
+ 
+    png_free(png_ptr, info_ptr->eXIf_buf);
+    info_ptr->eXIf_buf = NULL;
-- 
cgit v1.2.3