From 8d1672537324d99c6e65eb78fc1678cdd46f75bd Mon Sep 17 00:00:00 2001 From: Glenn Randers-Pehrson Date: Fri, 27 May 2016 19:55:44 -0500 Subject: [PATCH] [libpng16] Stop a potential memleak in png_set_tRNS() (Bug report by Ted Ying). --- ANNOUNCE | 1 + CHANGES | 1 + pngset.c | 13 +++++++------ 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ANNOUNCE b/ANNOUNCE index 1c5d31254..1f3edd760 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -26,6 +26,7 @@ Other information: Changes since the last public release (1.6.22): Version 1.6.23beta01 [May 28, 2016] + Stop a potential memory leak in png_set_tRNS() (Bug report by Ted Ying). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/CHANGES b/CHANGES index ba1ab5161..d31a5b398 100644 --- a/CHANGES +++ b/CHANGES @@ -5574,6 +5574,7 @@ Version 1.6.22 [May 26, 2016] No changes. Version 1.6.23beta01 [May 28, 2016] + Stop a potential memory leak in png_set_tRNS() (Bug report by Ted Ying). Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit diff --git a/pngset.c b/pngset.c index 4bd5ab3cb..6e9c50aab 100644 --- a/pngset.c +++ b/pngset.c @@ -1,8 +1,8 @@ /* pngset.c - storage of image information into info struct * - * Last changed in libpng 1.6.21 [January 15, 2016] - * Copyright (c) 1998-2015 Glenn Randers-Pehrson + * Last changed in libpng 1.6.23 [(PENDING RELEASE)] + * Copyright (c) 1998-2016 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -952,12 +952,13 @@ png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr, png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0); - /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */ - png_ptr->trans_alpha = info_ptr->trans_alpha = png_voidcast(png_bytep, - png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); - if (num_trans > 0 && num_trans <= PNG_MAX_PALETTE_LENGTH) + { + /* Changed from num_trans to PNG_MAX_PALETTE_LENGTH in version 1.2.1 */ + png_ptr->trans_alpha = info_ptr->trans_alpha = png_voidcast(png_bytep, + png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); memcpy(info_ptr->trans_alpha, trans_alpha, (png_size_t)num_trans); + } } if (trans_color != NULL)