Skip to content

Commit

Permalink
Fix a potential double-free bug when loading PNG images (Issue #462)
Browse files Browse the repository at this point in the history
  • Loading branch information
michaelrsweet committed Jan 6, 2022
1 parent a0dfb99 commit 5495336
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 9 deletions.
1 change: 1 addition & 0 deletions CHANGES.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Changes in HTMLDOC v1.9.15

- Fixed a potential heap overflow bug with GIF images (Issue #461)
- Fixed a potential double-free bug with PNG images (Issue #462)


# Changes in HTMLDOC v1.9.14
Expand Down
19 changes: 10 additions & 9 deletions htmldoc/image.cxx
Original file line number Diff line number Diff line change
Expand Up @@ -1478,7 +1478,7 @@ image_load_png(image_t *img, /* I - Image pointer */
png_structp pp; /* PNG read pointer */
png_infop info; /* PNG info pointers */
int depth; /* Input image depth */
png_bytep *rows; /* PNG row pointers */
png_bytep *rows = NULL; /* PNG row pointers */
uchar *inptr, /* Input pixels */
*outptr; /* Output pixels */
int color_type, /* PNG color mode */
Expand Down Expand Up @@ -1508,19 +1508,20 @@ image_load_png(image_t *img, /* I - Image pointer */
return (-1);
}

rows = NULL;

if (setjmp(png_jmpbuf(pp)))
{
progress_error(HD_ERROR_BAD_FORMAT, "PNG file contains errors!");

png_destroy_read_struct(&pp, &info, NULL);

if (img != NULL && img->pixels != NULL)
if (img != NULL)
{
free(img->pixels);
img->pixels = NULL;
}

if (rows != NULL)
free(rows);
free(rows);
rows = NULL;

return (-1);
}
Expand Down Expand Up @@ -1617,7 +1618,7 @@ image_load_png(image_t *img, /* I - Image pointer */
return (0);
}

img->pixels = (uchar *)calloc(1,(size_t)(img->width * img->height * depth));
img->pixels = (uchar *)calloc(1, (size_t)(img->width * img->height * depth));

/*
* Allocate pointers...
Expand Down Expand Up @@ -1709,11 +1710,11 @@ image_load_png(image_t *img, /* I - Image pointer */
* Free memory and return...
*/

free(rows);

png_read_end(pp, info);
png_destroy_read_struct(&pp, &info, NULL);

free(rows);

return (0);
}
#endif // HAVE_LIBPNG
Expand Down
3 changes: 3 additions & 0 deletions htmldoc/ps-pdf.cxx
Original file line number Diff line number Diff line change
Expand Up @@ -10304,6 +10304,9 @@ write_image(FILE *out, /* I - Output file */
if (!img->pixels && !img->obj)
image_load(img->filename, !OutputColor, 1);

if (!img->pixels)
return;

// Note: Acrobat 6 tries to decrypt the colormap of indexed in-line images twice, which
// is 1) not consistent with prior Acrobat releases and 2) in violation of their
// PDF spec. The "img->use > 1 || !Encryption" test prevents the use of indexed
Expand Down

0 comments on commit 5495336

Please sign in to comment.