Fix memory leak if eXIf has incorrect crc

Change eb6767 from upstream repo. Fixes oss-fuzz issue 23376. [ChangeLog][Third-Party Code][libpng] Fix for possible memory leak in libpng was backported. Change-Id: Id0c2f8b8bd60438ae8b5a61c83b6e50d55c6eb65 Pick-to: 6.2 6.1 5.15 Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
2021-07-28 20:48:45 +02:00 · 2021-07-28 20:48:45 +02:00 · 76e2409cc9
commit 76e2409cc9
parent 472520afb9
2 changed files with 19 additions and 4 deletions
--- a/src/3rdparty/libpng/pngrutil.c
+++ b/src/3rdparty/libpng/pngrutil.c
@ -2087,10 +2087,8 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
      }
   }

-   if (png_crc_finish(png_ptr, 0) != 0)
-      return;
-
-   png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
+   if (png_crc_finish(png_ptr, 0) == 0)
+      png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);

   png_free(png_ptr, info_ptr->eXIf_buf);
   info_ptr->eXIf_buf = NULL;
--- a/src/3rdparty/libpng/qtpatches.diff
+++ b/src/3rdparty/libpng/qtpatches.diff
@ -43,3 +43,20 @@ index 583c26f9bd..2ab9b70d73 100644
 #    define PNG_ABORT() ExitProcess(0)
 #  else
 #    define PNG_ABORT() abort()
+diff --git a/src/3rdparty/libpng/pngrutil.c b/src/3rdparty/libpng/pngrutil.c
+index d5fa08c397..4db3de990b 100644
+--- a/src/3rdparty/libpng/pngrutil.c
+++ b/src/3rdparty/libpng/pngrutil.c
+@@ -2087,10 +2087,8 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
+       }
+    }
+ 
+-   if (png_crc_finish(png_ptr, 0) != 0)
+-      return;
+-
+-   png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
+   if (png_crc_finish(png_ptr, 0) == 0)
+      png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
+ 
+    png_free(png_ptr, info_ptr->eXIf_buf);
+    info_ptr->eXIf_buf = NULL;