Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:kernel-2.6.32
optipng
optipng-use-after-free.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File optipng-use-after-free.diff of Package optipng
--- lib/pngxtern/gif/gifread.c +++ lib/pngxtern/gif/gifread.c @@ -224,13 +224,12 @@ GIF_FGETC(label, stream); GIF_TRACE(("Reading Extension (0x%X)\n", label)); - if (ext != NULL) - ext->Label = (unsigned char)label; - if (ext == NULL || ext->Buffer == NULL) + if (ext == NULL) { SkipDataBlocks(stream); return; } + ext->Label = (unsigned char)label; offset = 0; len = ext->BufferSize; @@ -238,9 +237,11 @@ { if (len < UCHAR_MAX) { - len += 1024; ext->BufferSize += 1024; ext->Buffer = realloc(ext->Buffer, ext->BufferSize); + if (ext->Buffer == NULL) + GIFError("Out of memory"); + len += 1024; } count = ReadDataBlock(ext->Buffer + offset, stream); if (count == 0) --- lib/pngxtern/pngxrgif.c +++ lib/pngxtern/pngxrgif.c @@ -116,8 +116,6 @@ pngx_read_gif(png_structp png_ptr, png_infop info_ptr, FILE *stream) { /* GIF-specific data */ - unsigned char *buf; - const unsigned int bufsize = 1024; struct GIFScreen screen; struct GIFImage image; struct GIFExtension ext; @@ -148,15 +146,9 @@ /* Allocate memory. */ row_pointers = pngx_malloc_rows(png_ptr, info_ptr, (int)screen.Background); - /* The GIF extension buffer must be allocated using malloc(), - * because the GIF routines might call realloc() later. - */ - buf = (unsigned char *)malloc(bufsize); - if (buf == NULL) - png_error(png_ptr, "Out of memory"); GIFInitImage(&image, &screen, row_pointers); - GIFInitExtension(&ext, &screen, buf, bufsize); + GIFInitExtension(&ext, &screen, NULL, 0); transparent = (unsigned int)-1; numImages = 0; @@ -193,7 +185,11 @@ break; } - free(ext.Buffer); /* use free() in conjunction with malloc() */ + /* Deallocate the GIF reader's extension buffer. + * Use free() in conjunction with the reader's realloc(). + */ + if (ext.Buffer != NULL) + free(ext.Buffer); /* FIXME: * Deallocate ext.Buffer on error, to prevent memory leaks. */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor