fixed various memory leaks that could occur when failing to read png,

author Tony Cook <tony@develop=help.com>

Tue, 26 Jun 2007 11:17:00 +0000 (11:17 +0000)

committer Tony Cook <tony@develop=help.com>

Tue, 26 Jun 2007 11:17:00 +0000 (11:17 +0000)
author Tony Cook <tony@develop=help.com>
Tue, 26 Jun 2007 11:17:00 +0000 (11:17 +0000)
committer Tony Cook <tony@develop=help.com>
Tue, 26 Jun 2007 11:17:00 +0000 (11:17 +0000)
diff --git a/Changes b/Changes

index 3cf0d0b50befeb6ec56b714e78d0437ab83d9ea4..c4c8743c32431b7fd35d6dcb0bf18e5ebcf9bed2 100644 (file)
--- a/Changes
+++ b/Changes
@@ -10,6 +10,9 @@ Bug fixes:
     We now expand the palette to match the indexes used.
     Thanks to Gabriel Vasseur for reporting this.
  
+ - fixed various memory leaks that could occur when failing to read png,
+   jpeg, bmp or tga files.
+
  Imager 0.59 - 14 June 2007
  ===========
  
diff --git a/bmp.c b/bmp.c

index 172b1a322ae9b649ad36d4aa2023b2d500020205..e7fc54fd908b5112cbbf8c0430a74bd520201021 100644 (file)
--- a/bmp.c
+++ b/bmp.c
@@ -918,6 +918,7 @@ read_4bit_bmp(io_glue *ig, int xsize, int ysize, int clr_used,
        else if (packed[0]) {
         if (x + packed[0] > xsize) {
           /* this file is corrupt */
+         myfree(packed);
           myfree(line);
           i_push_error(0, "invalid data during decompression");
           i_img_destroy(im);
@@ -967,6 +968,7 @@ read_4bit_bmp(io_glue *ig, int xsize, int ysize, int clr_used,
            count = packed[1];
           if (x + count > xsize) {
             /* this file is corrupt */
+           myfree(packed);
             myfree(line);
             i_push_error(0, "invalid data during decompression");
             i_img_destroy(im);
diff --git a/imexif.c b/imexif.c

index 9e562f7f4f84ca07cef41bd9a26f8d7729a1eb1d..ff78d966cc10e8d90682dd63f5a22c66e50a65a1 100644 (file)
--- a/imexif.c
+++ b/imexif.c
@@ -942,6 +942,7 @@ tiff_load_ifd(imtiff *tiff, unsigned long offset) {
        entry->item_size = type_sizes[entry->type];
        entry->size = entry->item_size * entry->count;
        if (entry->size / entry->item_size != entry->count) {
+       myfree(entries);
         mm_log((1, "Integer overflow calculating tag data size processing EXIF block\n"));
         return 0;
        }
diff --git a/jpeg.c b/jpeg.c

index 90573b7ae7716e642ccbf5b875111cdb71bd3d3c..f3d5fc7f917ea84cb523e728ff7ae31da4566471 100644 (file)
--- a/jpeg.c
+++ b/jpeg.c
@@ -383,7 +383,7 @@ typedef void (*transfer_function_t)(i_color *out, JSAMPARRAY in, int width);
  */
  i_img*
  i_readjpeg_wiol(io_glue *data, int length, char** iptc_itext, int *itlength) {
-  i_img *im;
+  i_img * volatile im = NULL;
  #ifdef IMEXIF_ENABLE
    int seen_exif = 0;
  #endif
@@ -395,6 +395,7 @@ i_readjpeg_wiol(io_glue *data, int length, char** iptc_itext, int *itlength) {
    jpeg_saved_marker_ptr markerp;
    transfer_function_t transfer_f;
    int channels;
+  volatile int src_set = 0;
  
    mm_log((1,"i_readjpeg_wiol(data 0x%p, length %d,iptc_itext 0x%p)\n", data, length, iptc_itext));
  
@@ -407,11 +408,15 @@ i_readjpeg_wiol(io_glue *data, int length, char** iptc_itext, int *itlength) {
  
    /* Set error handler */
    if (setjmp(jerr.setjmp_buffer)) {
+    if (src_set)
+      wiol_term_source(&cinfo);
      jpeg_destroy_decompress(&cinfo); 
      *iptc_itext=NULL;
      *itlength=0;
      if (line_buffer)
        myfree(line_buffer);
+    if (im)
+      i_img_destroy(im);
      return NULL;
    }
    
@@ -420,6 +425,7 @@ i_readjpeg_wiol(io_glue *data, int length, char** iptc_itext, int *itlength) {
    jpeg_save_markers(&cinfo, JPEG_APP1, 0xFFFF);
    jpeg_save_markers(&cinfo, JPEG_COM, 0xFFFF);
    jpeg_wiol_src(&cinfo, data, length);
+  src_set = 1;
  
    (void) jpeg_read_header(&cinfo, TRUE);
    (void) jpeg_start_decompress(&cinfo);
diff --git a/png.c b/png.c

index 5ea25ce08c047fd10c9e252cd0c5f316ec6eba2e..af9033e886c068b4de56c43953f711f1ccf2d4e4 100644 (file)
--- a/png.c
+++ b/png.c
@@ -184,7 +184,7 @@ static void get_png_tags(i_img *im, png_structp png_ptr, png_infop info_ptr);
  
  i_img*
  i_readpng_wiol(io_glue *ig, int length) {
-  i_img *im;
+  i_img *im = NULL;
    png_structp png_ptr;
    png_infop info_ptr;
    png_uint_32 width, height;
@@ -208,6 +208,7 @@ i_readpng_wiol(io_glue *ig, int length) {
    }
    
    if (setjmp(png_ptr->jmpbuf)) {
+    if (im) i_img_destroy(im);
      mm_log((1,"i_readpng_wiol: error.\n"));
      png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp)NULL);
      return NULL;
diff --git a/tga.c b/tga.c

index 6943dfc9cebdecab5d6c9e502c0090b1fc3a2c28..67594ee3a2a72b9491105759ab0837e2d8642c6b 100644 (file)
--- a/tga.c
+++ b/tga.c
@@ -777,6 +777,7 @@ i_readtga_wiol(io_glue *ig, int length) {
    for(y=0; y<height; y++) {
      if (!tga_source_read(&src, databuf, width)) {
        i_push_error(errno, "read for targa data failed");
+      if (linebuf) myfree(linebuf);
        myfree(databuf);
        if (img) i_img_destroy(img);
        return NULL;
author	Tony Cook <tony@develop=help.com>
	Tue, 26 Jun 2007 11:17:00 +0000 (11:17 +0000)
committer	Tony Cook <tony@develop=help.com>
	Tue, 26 Jun 2007 11:17:00 +0000 (11:17 +0000)
Changes		patch \| blob \| blame \| history
bmp.c		patch \| blob \| blame \| history
imexif.c		patch \| blob \| blame \| history
jpeg.c		patch \| blob \| blame \| history
png.c		patch \| blob \| blame \| history
tga.c		patch \| blob \| blame \| history