From 02576e8de07af5590c76c6fb5d6935fca7bb8d03 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop=help.com>
Date: Tue, 26 Jun 2007 11:17:00 +0000
Subject: [PATCH] fixed various memory leaks that could occur when failing to
 read png,    jpeg, bmp or tga files.

---
 Changes  | 3 +++
 bmp.c    | 2 ++
 imexif.c | 1 +
 jpeg.c   | 8 +++++++-
 png.c    | 3 ++-
 tga.c    | 1 +
 6 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/Changes b/Changes
index 3cf0d0b5..c4c8743c 100644
--- a/Changes
+++ b/Changes
@@ -10,6 +10,9 @@ Bug fixes:
    We now expand the palette to match the indexes used.
    Thanks to Gabriel Vasseur for reporting this.
 
+ - fixed various memory leaks that could occur when failing to read png,
+   jpeg, bmp or tga files.
+
 Imager 0.59 - 14 June 2007
 ===========
 
diff --git a/bmp.c b/bmp.c
index 172b1a32..e7fc54fd 100644
--- a/bmp.c
+++ b/bmp.c
@@ -918,6 +918,7 @@ read_4bit_bmp(io_glue *ig, int xsize, int ysize, int clr_used,
       else if (packed[0]) {
 	if (x + packed[0] > xsize) {
 	  /* this file is corrupt */
+	  myfree(packed);
 	  myfree(line);
 	  i_push_error(0, "invalid data during decompression");
 	  i_img_destroy(im);
@@ -967,6 +968,7 @@ read_4bit_bmp(io_glue *ig, int xsize, int ysize, int clr_used,
           count = packed[1];
 	  if (x + count > xsize) {
 	    /* this file is corrupt */
+	    myfree(packed);
 	    myfree(line);
 	    i_push_error(0, "invalid data during decompression");
 	    i_img_destroy(im);
diff --git a/imexif.c b/imexif.c
index 9e562f7f..ff78d966 100644
--- a/imexif.c
+++ b/imexif.c
@@ -942,6 +942,7 @@ tiff_load_ifd(imtiff *tiff, unsigned long offset) {
       entry->item_size = type_sizes[entry->type];
       entry->size = entry->item_size * entry->count;
       if (entry->size / entry->item_size != entry->count) {
+	myfree(entries);
 	mm_log((1, "Integer overflow calculating tag data size processing EXIF block\n"));
 	return 0;
       }
diff --git a/jpeg.c b/jpeg.c
index 90573b7a..f3d5fc7f 100644
--- a/jpeg.c
+++ b/jpeg.c
@@ -383,7 +383,7 @@ typedef void (*transfer_function_t)(i_color *out, JSAMPARRAY in, int width);
 */
 i_img*
 i_readjpeg_wiol(io_glue *data, int length, char** iptc_itext, int *itlength) {
-  i_img *im;
+  i_img * volatile im = NULL;
 #ifdef IMEXIF_ENABLE
   int seen_exif = 0;
 #endif
@@ -395,6 +395,7 @@ i_readjpeg_wiol(io_glue *data, int length, char** iptc_itext, int *itlength) {
   jpeg_saved_marker_ptr markerp;
   transfer_function_t transfer_f;
   int channels;
+  volatile int src_set = 0;
 
   mm_log((1,"i_readjpeg_wiol(data 0x%p, length %d,iptc_itext 0x%p)\n", data, length, iptc_itext));
 
@@ -407,11 +408,15 @@ i_readjpeg_wiol(io_glue *data, int length, char** iptc_itext, int *itlength) {
 
   /* Set error handler */
   if (setjmp(jerr.setjmp_buffer)) {
+    if (src_set)
+      wiol_term_source(&cinfo);
     jpeg_destroy_decompress(&cinfo); 
     *iptc_itext=NULL;
     *itlength=0;
     if (line_buffer)
       myfree(line_buffer);
+    if (im)
+      i_img_destroy(im);
     return NULL;
   }
   
@@ -420,6 +425,7 @@ i_readjpeg_wiol(io_glue *data, int length, char** iptc_itext, int *itlength) {
   jpeg_save_markers(&cinfo, JPEG_APP1, 0xFFFF);
   jpeg_save_markers(&cinfo, JPEG_COM, 0xFFFF);
   jpeg_wiol_src(&cinfo, data, length);
+  src_set = 1;
 
   (void) jpeg_read_header(&cinfo, TRUE);
   (void) jpeg_start_decompress(&cinfo);
diff --git a/png.c b/png.c
index 5ea25ce0..af9033e8 100644
--- a/png.c
+++ b/png.c
@@ -184,7 +184,7 @@ static void get_png_tags(i_img *im, png_structp png_ptr, png_infop info_ptr);
 
 i_img*
 i_readpng_wiol(io_glue *ig, int length) {
-  i_img *im;
+  i_img *im = NULL;
   png_structp png_ptr;
   png_infop info_ptr;
   png_uint_32 width, height;
@@ -208,6 +208,7 @@ i_readpng_wiol(io_glue *ig, int length) {
   }
   
   if (setjmp(png_ptr->jmpbuf)) {
+    if (im) i_img_destroy(im);
     mm_log((1,"i_readpng_wiol: error.\n"));
     png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp)NULL);
     return NULL;
diff --git a/tga.c b/tga.c
index 6943dfc9..67594ee3 100644
--- a/tga.c
+++ b/tga.c
@@ -777,6 +777,7 @@ i_readtga_wiol(io_glue *ig, int length) {
   for(y=0; y<height; y++) {
     if (!tga_source_read(&src, databuf, width)) {
       i_push_error(errno, "read for targa data failed");
+      if (linebuf) myfree(linebuf);
       myfree(databuf);
       if (img) i_img_destroy(img);
       return NULL;
-- 
2.39.5