From 4ab78af90a0f54665a8c1aca16745d2f641c7efb Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Sun, 30 Jul 2017 19:36:25 -0500 Subject: [PATCH] [libpng16] Avoid possible NULL dereference in png_handle_eXIf when benign_errors are allowed. Avoid leaking the input buffer "eXIf_buf". --- ANNOUNCE | 6 ++++-- CHANGES | 4 +++- pngrutil.c | 4 +++- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 17c8f8eb0..be2aefccd 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,4 +1,4 @@ -Libpng 1.6.32beta01 - July 27, 2017 +Libpng 1.6.32beta01 - July 31, 2017 This is not intended to be a public release. It will be replaced within a few weeks by a public version or by another test version. @@ -25,7 +25,9 @@ Other information: Changes since the last public release (1.6.31): -Version 1.6.32beta01 [July 27, 2017] +Version 1.6.32beta01 [July 31, 2017] + Avoid possible NULL dereference in png_handle_eXIf when benign_errors + are allowed. Avoid leaking the input buffer "eXIf_buf". Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index 2dfa7c485..bfda466b9 100644 --- a/CHANGES +++ b/CHANGES @@ -5908,7 +5908,9 @@ Version 1.6.31rc02 [July 25, 2017] Version 1.6.31 [July 27, 2017] No changes. -Version 1.6.32beta01 [July 27, 2017] +Version 1.6.32beta01 [July 31, 2017] + Avoid possible NULL dereference in png_handle_eXIf when benign_errors + are allowed. Avoid leaking the input buffer "eXIf_buf". Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngrutil.c b/pngrutil.c index 7fe5cd1de..c9e1dd401 100644 --- a/pngrutil.c +++ b/pngrutil.c @@ -2021,7 +2021,7 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) if ((png_ptr->mode & PNG_HAVE_IHDR) == 0) png_chunk_error(png_ptr, "missing IHDR"); - else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_eXIf) != 0) + else if (info_ptr == NULL || (info_ptr->valid & PNG_INFO_eXIf) != 0) { png_crc_finish(png_ptr, length); png_chunk_benign_error(png_ptr, "duplicate"); @@ -2044,6 +2044,8 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) info_ptr->num_exif = length; png_set_eXIf(png_ptr, info_ptr, eXIf_buf); + + png_free(png_ptr, eXIf_buf); } #endif