Commit 5327092bb28b6df742386d75555ba3ccc6d05ce6
2019-09-20T06:30:28
[woff2] Fix memory leaks. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16896 * src/sfnt/sfwoff2.c (woff2_open_font): Fix error handling. Free `uncompressed_buf'. (reconstruct_font): Free `transformed_buf'.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65
diff --git a/ChangeLog b/ChangeLog
index bed5802..3e9cf75 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2019-09-20 Nikhil Ramakrishnan <ramakrishnan.nikhil@gmail.com>
+
+ [woff2] Fix memory leaks.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16896
+
+ * src/sfnt/sfwoff2.c (woff2_open_font): Fix error handling.
+ Free `uncompressed_buf'.
+ (reconstruct_font): Free `transformed_buf'.
+
2019-09-17 Werner Lemberg <wl@gnu.org>
* src/otvalid/otvcommon.c (otv_Coverage_get_last): Guard `count'.
diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
index bea73c3..bb7c981 100644
--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
@@ -1706,6 +1706,7 @@
FT_FREE( table_entry );
FT_Stream_Close( stream );
FT_FREE( stream );
+ FT_FREE( transformed_buf );
return error;
}
@@ -2170,11 +2171,12 @@
woff2.uncompressed_size,
stream->cursor,
woff2.totalCompressedSize );
- if ( error )
- goto Exit;
FT_FRAME_EXIT();
+ if ( error )
+ goto Exit;
+
error = reconstruct_font( uncompressed_buf,
woff2.uncompressed_size,
indices,
@@ -2183,6 +2185,9 @@
&sfnt,
&sfnt_size,
memory );
+
+ uncompressed_buf = NULL;
+
if ( error )
goto Exit;
@@ -2221,6 +2226,7 @@
Exit:
FT_FREE( tables );
FT_FREE( indices );
+ FT_FREE( uncompressed_buf );
if ( error )
{