From 1791cbdb538b0fa52224870468d824a6b6636508 Mon Sep 17 00:00:00 2001 From: Tony Cook Date: Mon, 31 Dec 2018 21:25:19 +1100 Subject: [PATCH] fix double-free in TGA code --- Changes | 5 +++++ t/200-file/330-tga.t | 19 ++++++++++++++++++- tga.c | 7 +++---- 3 files changed, 26 insertions(+), 5 deletions(-) diff --git a/Changes b/Changes index f0a5be6b..b153ca02 100644 --- a/Changes +++ b/Changes @@ -1,5 +1,10 @@ Imager release history. Older releases can be found in Changes.old +Coverity finally finished a build, fix a few problems: + + - reading a color-mapped TGA file with an id string would cause a + double-free if the palette was truncated. + Imager 1.008 - 31 Dec 2018 ============ diff --git a/t/200-file/330-tga.t b/t/200-file/330-tga.t index cfdd6645..38b059c4 100644 --- a/t/200-file/330-tga.t +++ b/t/200-file/330-tga.t @@ -1,7 +1,7 @@ #!perl -w use Imager qw(:all); use strict; -use Test::More tests=>68; +use Test::More; use Imager::Test qw(is_color4 is_image test_image); -d "testout" or mkdir "testout"; @@ -232,6 +232,21 @@ is($compressed, 1, "check compressed tag"); } } +{ + # coverity issue - double free of idstring + my $im = test_image()->to_paletted({ make_colors => "webmap" }); + my $data; + ok($im->write(data => \$data, type => "tga", idstring => "test"), + "save good tga image"); + substr($data, 30) = ''; + my $im2 = Imager->new; + ok(!$im2->read(data => \$data, type => "tga"), + "fail to read bad tga"); + like($im2->errstr, qr/could not read targa colormap/, + "check error message"); + # shouldn't get a double free from valgrind +} + { # check close failures are handled correctly my $im = test_image(); my $fail_close = sub { @@ -245,6 +260,8 @@ is($compressed, 1, "check compressed tag"); "check error message"); } +done_testing(); + sub write_test { my ($im, $filename, $wierdpack, $compress, $idstring) = @_; local *FH; diff --git a/tga.c b/tga.c index fcfdb878..42e66621 100644 --- a/tga.c +++ b/tga.c @@ -559,7 +559,7 @@ tga_palette_read(io_glue *ig, i_img *img, int bytepp, int colourmaplength) { palbuf = mymalloc(palbsize); if (i_io_read(ig, palbuf, palbsize) != palbsize) { - i_push_error(errno, "could not read targa colourmap"); + i_push_error(errno, "could not read targa colormap"); return 0; } @@ -601,7 +601,7 @@ tga_palette_write(io_glue *ig, i_img *img, int bitspp, int colourmaplength) { } if (i_io_write(ig, palbuf, palbsize) != palbsize) { - i_push_error(errno, "could not write targa colourmap"); + i_push_error(errno, "could not write targa colormap"); return 0; } myfree(palbuf); @@ -773,8 +773,7 @@ i_readtga_wiol(io_glue *ig, int length) { bpp_to_bytes(header.colourmapdepth), header.colourmaplength) ) { - i_push_error(0, "Targa Image has none of 15/16/24/32 pixel layout"); - if (idstring) myfree(idstring); + /* tga_palette_read() sets a message */ if (img) i_img_destroy(img); return NULL; } -- 2.39.5