File optipng-use-after-free.diff of Package optipng
--- lib/pngxtern/gif/gifread.c
+++ lib/pngxtern/gif/gifread.c
@@ -224,13 +224,12 @@
GIF_FGETC(label, stream);
GIF_TRACE(("Reading Extension (0x%X)\n", label));
- if (ext != NULL)
- ext->Label = (unsigned char)label;
- if (ext == NULL || ext->Buffer == NULL)
+ if (ext == NULL)
{
SkipDataBlocks(stream);
return;
}
+ ext->Label = (unsigned char)label;
offset = 0;
len = ext->BufferSize;
@@ -238,9 +237,11 @@
{
if (len < UCHAR_MAX)
{
- len += 1024;
ext->BufferSize += 1024;
ext->Buffer = realloc(ext->Buffer, ext->BufferSize);
+ if (ext->Buffer == NULL)
+ GIFError("Out of memory");
+ len += 1024;
}
count = ReadDataBlock(ext->Buffer + offset, stream);
if (count == 0)
--- lib/pngxtern/pngxrgif.c
+++ lib/pngxtern/pngxrgif.c
@@ -116,8 +116,6 @@
pngx_read_gif(png_structp png_ptr, png_infop info_ptr, FILE *stream)
{
/* GIF-specific data */
- unsigned char *buf;
- const unsigned int bufsize = 1024;
struct GIFScreen screen;
struct GIFImage image;
struct GIFExtension ext;
@@ -148,15 +146,9 @@
/* Allocate memory. */
row_pointers = pngx_malloc_rows(png_ptr, info_ptr, (int)screen.Background);
- /* The GIF extension buffer must be allocated using malloc(),
- * because the GIF routines might call realloc() later.
- */
- buf = (unsigned char *)malloc(bufsize);
- if (buf == NULL)
- png_error(png_ptr, "Out of memory");
GIFInitImage(&image, &screen, row_pointers);
- GIFInitExtension(&ext, &screen, buf, bufsize);
+ GIFInitExtension(&ext, &screen, NULL, 0);
transparent = (unsigned int)-1;
numImages = 0;
@@ -193,7 +185,11 @@
break;
}
- free(ext.Buffer); /* use free() in conjunction with malloc() */
+ /* Deallocate the GIF reader's extension buffer.
+ * Use free() in conjunction with the reader's realloc().
+ */
+ if (ext.Buffer != NULL)
+ free(ext.Buffer);
/* FIXME:
* Deallocate ext.Buffer on error, to prevent memory leaks.
*/
