libpng
libpng copied to clipboard
glennrp
Memory leak in png2pnm.c : png2pnm while processing corrupted PNG image file
In libpng version 1.6.37 , there is a memory leak in png2pnm.c while processing the corrupted PNG image
libpng error: PNG unsigned integer out of range PNG2PNM Error: unsuccessful conversion of PNG-image
================================================================= ==17967==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 256 byte(s) in 1 object(s) allocated from: #0 0x4bac13 in malloc /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x4e9ea8 in png2pnm /opt/libpng-1.6.37/contrib/pngminus/png2pnm.c:307:8 #2 0x4e86cc in main /opt/libpng-1.6.37/contrib/pngminus/png2pnm.c:122:7 #3 0x7fa0d8dff83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
Indirect leak of 4096 byte(s) in 1 object(s) allocated from: #0 0x4bac13 in malloc /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x4e9e8b in png2pnm /opt/libpng-1.6.37/contrib/pngminus/png2pnm.c:300:8 #2 0x4e86cc in main /opt/libpng-1.6.37/contrib/pngminus/png2pnm.c:122:7 #3 0x7fa0d8dff83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
SUMMARY: AddressSanitizer: 4352 byte(s) leaked in 2 allocation(s).
Memory is allocated in the code below in png2pnm.c:307
*if ((row_pointers = (png_byte ) malloc ((size_t) height * sizeof (png_byte ))) == NULL) { png_destroy_read_struct (&png_ptr, &info_ptr, NULL); free (png_pixels); return FALSE; }
Perhaps while processing the corrupted PNG image , it is not able to conver into PNM file and does not free the memory before exiting :
if (png2pnm (fp_rd, fp_wr, fp_al, raw, alpha) == FALSE) { fprintf (stderr, "PNG2PNM\n"); fprintf (stderr, "Error: unsuccessful conversion of PNG-image\n"); exit (1); }
POC file attached:
There is no memory leak here, the program has exited with a fatal error (and this is the correct behavior).
