From b0729b8fbb18dc1340ade628facf3f1cee498bfb Mon Sep 17 00:00:00 2001 From: Ben Wagner Date: Mon, 15 Mar 2021 14:32:24 -0400 Subject: [PATCH] [sfnt] Fix memory leak in png loading. Reported as https://bugs.chromium.org/p/chromium/issues/detail?id=1182552 Memory is allocated and the pointer assigned to `rows` inside a 'setjmp' scope. This memory must be freed outside the 'setjmp' scope after a 'longjmp'. Since `rows` is a local and modified inside the 'setjmp' scope it must be marked volatile or it will have an indeterminate value after the 'longjmp'. * src/sfnt/pngshim.c (Load_SBit_Png): Fix memory leak of `rows`. --- ChangeLog | 16 ++++++++++++++++ src/sfnt/pngshim.c | 5 ++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 1883fdacb..3535d069d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,19 @@ +2021-03-16 Ben Wagner + + [sfnt] Fix memory leak in png loading. + + Reported as + + https://bugs.chromium.org/p/chromium/issues/detail?id=1182552 + + Memory is allocated and the pointer assigned to `rows` inside a + 'setjmp' scope. This memory must be freed outside the 'setjmp' + scope after a 'longjmp'. Since `rows` is a local and modified + inside the 'setjmp' scope it must be marked volatile or it will have + an indeterminate value after the 'longjmp'. + + * src/sfnt/pngshim.c (Load_SBit_Png): Fix memory leak of `rows`. + 2021-03-16 Christopher Degawa * CMakeLists.txt: Don't limit generation of 'pkg-config' file to UNIX. diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c index c7a2938eb..3ef7b43b4 100644 --- a/src/sfnt/pngshim.c +++ b/src/sfnt/pngshim.c @@ -270,7 +270,10 @@ int bitdepth, color_type, interlace; FT_Int i; - png_byte* *rows = NULL; /* pacify compiler */ + + /* `rows` gets modified within a 'setjmp' scope; */ + /* we thus need the `volatile` keyword. */ + png_byte* *volatile rows = NULL; if ( x_offset < 0 ||