From cac0408b5989718e977b51b598ad5733e94a9f01 Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Mon, 8 Feb 2010 07:30:16 -0600 Subject: [PATCH] [legacy] Return allocated "old_buffer" in png_push_save_buffer() before png_error(), to avoid a memory leak. --- ANNOUNCE | 1 + CHANGES | 3 ++- pngpread.c | 7 ++++++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 5ed50bcd..3daf19ef 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -64,6 +64,7 @@ version 1.2.43beta05 [February 7, 2010] Reverted recent changes to png_push_save-buffer(). Removed PNGAPI declaration of png_calloc() and png_write_sig() in 1ibpng-1.2.X, introduced by mistake in libpng-1.2.41. + Return allocated "old_buffer" in png_push_save_buffer() before png_error(). version 1.0.53rc01 and 1.2.43rc01 [February 8, 2010] No changes. diff --git a/CHANGES b/CHANGES index 5ac90382..77ef4308 100644 --- a/CHANGES +++ b/CHANGES @@ -2662,10 +2662,11 @@ version 1.2.43beta03 [February 6, 2010] version 1.2.43beta04 [February 7, 2010] Fixed incorrect test in new png_push_save_buffer() code. -version 1.2.43beta05 [February 7, 2010] +version 1.2.43beta05 [February 8, 2010] Reverted recent changes to png_push_save-buffer(). Removed PNGAPI declaration of png_calloc() and png_write_sig() in 1ibpng-1.2.X, introduced by mistake in libpng-1.2.41. + Return allocated "old_buffer" in png_push_save_buffer() before png_error(). version 1.0.53rc01 and 1.2.43rc01 [February 8, 2010] No changes. diff --git a/pngpread.c b/pngpread.c index c2225730..7139e4b4 100644 --- a/pngpread.c +++ b/pngpread.c @@ -702,8 +702,13 @@ png_push_save_buffer(png_structp png_ptr) new_max = png_ptr->save_buffer_size + png_ptr->current_buffer_size + 256; old_buffer = png_ptr->save_buffer; - png_ptr->save_buffer = (png_bytep)png_malloc(png_ptr, + png_ptr->save_buffer = (png_bytep)png_malloc_warn(png_ptr, (png_uint_32)new_max); + if (png_ptr->save_buffer == NULL) + { + png_free(png_ptr, old_buffer); + png_error(png_ptr, "Insufficient memory for save_buffer"); + } png_memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); png_free(png_ptr, old_buffer); png_ptr->save_buffer_max = new_max;