From 1ebe4f75cc71de97bd97b8bd7347224e004fb2fe Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp at users.sourceforge.net>
Date: Sat, 5 Aug 2017 19:58:41 -0500
Subject: [PATCH] [Libpng16]  Relocated setting free_me for eXIf data, to stop
 an OSS-fuzz leak.

---
 ANNOUNCE   | 5 +++--
 CHANGES    | 3 ++-
 pngrutil.c | 3 ++-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/ANNOUNCE b/ANNOUNCE
index 12283b79a..c990951d0 100644
--- a/ANNOUNCE
+++ b/ANNOUNCE
@@ -1,4 +1,4 @@
-Libpng 1.6.32beta11 - August 5, 2017
+Libpng 1.6.32beta11 - August 6, 2017
 
 This is not intended to be a public release. It will be replaced
 within a few weeks by a public version or by another test version.
@@ -80,11 +80,12 @@ Version 1.6.32beta10 [August 5, 2017]
   Fix "const" declaration info_ptr argument to png_get_eXIf_1() and the
     num_exif argument to png_get_eXIf_1() (Github Issue 171).
 
-Version 1.6.32beta11 [August 5, 2017]
+Version 1.6.32beta11 [August 6, 2017]
   Added "eXIf" to "chunks_to_ignore[]" in png_set_keep_unknown_chunks().
   Added huge_IDAT.png and empty_ancillary_chunks.png to testpngs/crashers.
   Make pngtest --strict, --relax, --xfail options imply -m (multiple).
   Removed unused chunk_name parameter from png_check_chunk_length().
+  Relocated setting free_me for eXIf data, to stop an OSS-fuzz leak.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/CHANGES b/CHANGES
index fd610fae7..818f00bb5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5963,11 +5963,12 @@ Version 1.6.32beta10 [August 5, 2017]
   Fix "const" declaration info_ptr argument to png_get_eXIf_1() and the
     num_exif argument to png_get_eXIf_1() (Github Issue 171).
 
-Version 1.6.32beta11 [August 5, 2017]
+Version 1.6.32beta11 [August 6, 2017]
   Added "eXIf" to "chunks_to_ignore[]" in png_set_keep_unknown_chunks().
   Added huge_IDAT.png and empty_ancillary_chunks.png to testpngs/crashers.
   Make pngtest --strict, --relax, --xfail options imply -m (multiple).
   Removed unused chunk_name parameter from png_check_chunk_length().
+  Relocated setting free_me for eXIf data, to stop an OSS-fuzz leak.
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit
diff --git a/pngrutil.c b/pngrutil.c
index 6938d93c3..81c67ae7d 100644
--- a/pngrutil.c
+++ b/pngrutil.c
@@ -2030,6 +2030,8 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
       return;
    }
 
+   info_ptr->free_me |= PNG_FREE_EXIF;
+
    info_ptr->eXIf_buf = png_voidcast(png_bytep,
              png_malloc_warn(png_ptr, length));
 
@@ -2040,7 +2042,6 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
       return;
    }
 
-   info_ptr->free_me |= PNG_FREE_EXIF;
    for (i = 0; i < length; i++)
    {
       png_byte buf[1];