fixed various memory leaks that could occur when failing to read png,

author Tony Cook <tony@develop=help.com>

Tue, 26 Jun 2007 11:17:00 +0000 (11:17 +0000)

committer Tony Cook <tony@develop=help.com>

Tue, 26 Jun 2007 11:17:00 +0000 (11:17 +0000)
author Tony Cook <tony@develop=help.com>
Tue, 26 Jun 2007 11:17:00 +0000 (11:17 +0000)
committer Tony Cook <tony@develop=help.com>
Tue, 26 Jun 2007 11:17:00 +0000 (11:17 +0000)
diff --git a/Changes b/Changes

index 3cf0d0b50befeb6ec56b714e78d0437ab83d9ea4..c4c8743c32431b7fd35d6dcb0bf18e5ebcf9bed2 100644 (file)
--- a/Changes
+++ b/Changes
@@ -10,6 +10,9 @@ Bug fixes:
     We now expand the palette to match the indexes used.
     Thanks to Gabriel Vasseur for reporting this.
  
     We now expand the palette to match the indexes used.
     Thanks to Gabriel Vasseur for reporting this.
  
+ - fixed various memory leaks that could occur when failing to read png,
+   jpeg, bmp or tga files.
+
  Imager 0.59 - 14 June 2007
  ===========
  
  Imager 0.59 - 14 June 2007
  ===========
  
diff --git a/bmp.c b/bmp.c

index 172b1a322ae9b649ad36d4aa2023b2d500020205..e7fc54fd908b5112cbbf8c0430a74bd520201021 100644 (file)
--- a/bmp.c
+++ b/bmp.c
@@ -918,6 +918,7 @@ read_4bit_bmp(io_glue *ig, int xsize, int ysize, int clr_used,
        else if (packed[0]) {
         if (x + packed[0] > xsize) {
           /* this file is corrupt */
        else if (packed[0]) {
         if (x + packed[0] > xsize) {
           /* this file is corrupt */
+         myfree(packed);
           myfree(line);
           i_push_error(0, "invalid data during decompression");
           i_img_destroy(im);
           myfree(line);
           i_push_error(0, "invalid data during decompression");
           i_img_destroy(im);
@@ -967,6 +968,7 @@ read_4bit_bmp(io_glue *ig, int xsize, int ysize, int clr_used,
            count = packed[1];
           if (x + count > xsize) {
             /* this file is corrupt */
            count = packed[1];
           if (x + count > xsize) {
             /* this file is corrupt */
+           myfree(packed);
             myfree(line);
             i_push_error(0, "invalid data during decompression");
             i_img_destroy(im);
             myfree(line);
             i_push_error(0, "invalid data during decompression");
             i_img_destroy(im);
diff --git a/imexif.c b/imexif.c

index 9e562f7f4f84ca07cef41bd9a26f8d7729a1eb1d..ff78d966cc10e8d90682dd63f5a22c66e50a65a1 100644 (file)
--- a/imexif.c
+++ b/imexif.c
@@ -942,6 +942,7 @@ tiff_load_ifd(imtiff *tiff, unsigned long offset) {
        entry->item_size = type_sizes[entry->type];
        entry->size = entry->item_size * entry->count;
        if (entry->size / entry->item_size != entry->count) {
        entry->item_size = type_sizes[entry->type];
        entry->size = entry->item_size * entry->count;
        if (entry->size / entry->item_size != entry->count) {
+       myfree(entries);
         mm_log((1, "Integer overflow calculating tag data size processing EXIF block\n"));
         return 0;
        }
         mm_log((1, "Integer overflow calculating tag data size processing EXIF block\n"));
         return 0;
        }
diff --git a/jpeg.c b/jpeg.c

index 90573b7ae7716e642ccbf5b875111cdb71bd3d3c..f3d5fc7f917ea84cb523e728ff7ae31da4566471 100644 (file)
--- a/jpeg.c
+++ b/jpeg.c
@@ -383,7 +383,7 @@ typedef void (*transfer_function_t)(i_color *out, JSAMPARRAY in, int width);
  */
  i_img*
  i_readjpeg_wiol(io_glue *data, int length, char** iptc_itext, int *itlength) {
  */
  i_img*
  i_readjpeg_wiol(io_glue *data, int length, char** iptc_itext, int *itlength) {
-  i_img *im;
+  i_img * volatile im = NULL;
  #ifdef IMEXIF_ENABLE
    int seen_exif = 0;
  #endif
  #ifdef IMEXIF_ENABLE
    int seen_exif = 0;
  #endif
@@ -395,6 +395,7 @@ i_readjpeg_wiol(io_glue *data, int length, char** iptc_itext, int *itlength) {
    jpeg_saved_marker_ptr markerp;
    transfer_function_t transfer_f;
    int channels;
    jpeg_saved_marker_ptr markerp;
    transfer_function_t transfer_f;
    int channels;
+  volatile int src_set = 0;
  
    mm_log((1,"i_readjpeg_wiol(data 0x%p, length %d,iptc_itext 0x%p)\n", data, length, iptc_itext));
  
  
    mm_log((1,"i_readjpeg_wiol(data 0x%p, length %d,iptc_itext 0x%p)\n", data, length, iptc_itext));
  
@@ -407,11 +408,15 @@ i_readjpeg_wiol(io_glue *data, int length, char** iptc_itext, int *itlength) {
  
    /* Set error handler */
    if (setjmp(jerr.setjmp_buffer)) {
  
    /* Set error handler */
    if (setjmp(jerr.setjmp_buffer)) {
+    if (src_set)
+      wiol_term_source(&cinfo);
      jpeg_destroy_decompress(&cinfo); 
      *iptc_itext=NULL;
      *itlength=0;
      if (line_buffer)
        myfree(line_buffer);
      jpeg_destroy_decompress(&cinfo); 
      *iptc_itext=NULL;
      *itlength=0;
      if (line_buffer)
        myfree(line_buffer);
+    if (im)
+      i_img_destroy(im);
      return NULL;
    }
    
      return NULL;
    }
    
@@ -420,6 +425,7 @@ i_readjpeg_wiol(io_glue *data, int length, char** iptc_itext, int *itlength) {
    jpeg_save_markers(&cinfo, JPEG_APP1, 0xFFFF);
    jpeg_save_markers(&cinfo, JPEG_COM, 0xFFFF);
    jpeg_wiol_src(&cinfo, data, length);
    jpeg_save_markers(&cinfo, JPEG_APP1, 0xFFFF);
    jpeg_save_markers(&cinfo, JPEG_COM, 0xFFFF);
    jpeg_wiol_src(&cinfo, data, length);
+  src_set = 1;
  
    (void) jpeg_read_header(&cinfo, TRUE);
    (void) jpeg_start_decompress(&cinfo);
  
    (void) jpeg_read_header(&cinfo, TRUE);
    (void) jpeg_start_decompress(&cinfo);
diff --git a/png.c b/png.c

index 5ea25ce08c047fd10c9e252cd0c5f316ec6eba2e..af9033e886c068b4de56c43953f711f1ccf2d4e4 100644 (file)
--- a/png.c
+++ b/png.c
@@ -184,7 +184,7 @@ static void get_png_tags(i_img *im, png_structp png_ptr, png_infop info_ptr);
  
  i_img*
  i_readpng_wiol(io_glue *ig, int length) {
  
  i_img*
  i_readpng_wiol(io_glue *ig, int length) {
-  i_img *im;
+  i_img *im = NULL;
    png_structp png_ptr;
    png_infop info_ptr;
    png_uint_32 width, height;
    png_structp png_ptr;
    png_infop info_ptr;
    png_uint_32 width, height;
@@ -208,6 +208,7 @@ i_readpng_wiol(io_glue *ig, int length) {
    }
    
    if (setjmp(png_ptr->jmpbuf)) {
    }
    
    if (setjmp(png_ptr->jmpbuf)) {
+    if (im) i_img_destroy(im);
      mm_log((1,"i_readpng_wiol: error.\n"));
      png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp)NULL);
      return NULL;
      mm_log((1,"i_readpng_wiol: error.\n"));
      png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp)NULL);
      return NULL;
diff --git a/tga.c b/tga.c

index 6943dfc9cebdecab5d6c9e502c0090b1fc3a2c28..67594ee3a2a72b9491105759ab0837e2d8642c6b 100644 (file)
--- a/tga.c
+++ b/tga.c
@@ -777,6 +777,7 @@ i_readtga_wiol(io_glue *ig, int length) {
    for(y=0; y<height; y++) {
      if (!tga_source_read(&src, databuf, width)) {
        i_push_error(errno, "read for targa data failed");
    for(y=0; y<height; y++) {
      if (!tga_source_read(&src, databuf, width)) {
        i_push_error(errno, "read for targa data failed");
+      if (linebuf) myfree(linebuf);
        myfree(databuf);
        if (img) i_img_destroy(img);
        return NULL;
        myfree(databuf);
        if (img) i_img_destroy(img);
        return NULL;
author	Tony Cook <tony@develop=help.com>
	Tue, 26 Jun 2007 11:17:00 +0000 (11:17 +0000)
committer	Tony Cook <tony@develop=help.com>
	Tue, 26 Jun 2007 11:17:00 +0000 (11:17 +0000)
Changes		patch \| blob \| blame \| history
bmp.c		patch \| blob \| blame \| history
imexif.c		patch \| blob \| blame \| history
jpeg.c		patch \| blob \| blame \| history
png.c		patch \| blob \| blame \| history
tga.c		patch \| blob \| blame \| history