Fix memory leak if eXIf has incorrect crc

Problem description: Imagine a bitstream with an eXIf data segment that has invalid CRC. If png_crc_finish() fails at line 2090, info_ptr->eXIf_buf is not freed (despite the free_me setting at line 2062) because png_free_data() is not called. png_read_info() is actually looping several time over the png_eXIf chunk, calling png_handle_eXIf() several time in a row without freeing the buffer. This patch fixes the problem by leaving info_ptr's content in a clean state in case of failure, as it is done at line 2084.
pnggroup · Apr 27, 2020 · eb67672 · eb67672
1 parent 9f734b1
commit eb67672
Showing 1 changed file with 2 additions and 4 deletions.
diff --git a/pngrutil.c b/pngrutil.c
@@ -2087,10 +2087,8 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
       }
    }
 
-   if (png_crc_finish(png_ptr, 0) != 0)
-      return;
-
-   png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
+   if (png_crc_finish(png_ptr, 0) == 0)
+      png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf);
 
    png_free(png_ptr, info_ptr->eXIf_buf);
    info_ptr->eXIf_buf = NULL;