Commit b0729b8fbb18dc1340ade628facf3f1cee498bfb
2021-03-15T14:32:24
[sfnt] Fix memory leak in png loading. Reported as https://bugs.chromium.org/p/chromium/issues/detail?id=1182552 Memory is allocated and the pointer assigned to `rows` inside a 'setjmp' scope. This memory must be freed outside the 'setjmp' scope after a 'longjmp'. Since `rows` is a local and modified inside the 'setjmp' scope it must be marked volatile or it will have an indeterminate value after the 'longjmp'. * src/sfnt/pngshim.c (Load_SBit_Png): Fix memory leak of `rows`.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
diff --git a/ChangeLog b/ChangeLog
index 1883fda..3535d06 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,19 @@
+2021-03-16 Ben Wagner <bungeman@google.com>
+
+ [sfnt] Fix memory leak in png loading.
+
+ Reported as
+
+ https://bugs.chromium.org/p/chromium/issues/detail?id=1182552
+
+ Memory is allocated and the pointer assigned to `rows` inside a
+ 'setjmp' scope. This memory must be freed outside the 'setjmp'
+ scope after a 'longjmp'. Since `rows` is a local and modified
+ inside the 'setjmp' scope it must be marked volatile or it will have
+ an indeterminate value after the 'longjmp'.
+
+ * src/sfnt/pngshim.c (Load_SBit_Png): Fix memory leak of `rows`.
+
2021-03-16 Christopher Degawa <ccom@randomderp.com>
* CMakeLists.txt: Don't limit generation of 'pkg-config' file to UNIX.
diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
index c7a2938..3ef7b43 100644
--- a/src/sfnt/pngshim.c
+++ b/src/sfnt/pngshim.c
@@ -270,7 +270,10 @@
int bitdepth, color_type, interlace;
FT_Int i;
- png_byte* *rows = NULL; /* pacify compiler */
+
+ /* `rows` gets modified within a 'setjmp' scope; */
+ /* we thus need the `volatile` keyword. */
+ png_byte* *volatile rows = NULL;
if ( x_offset < 0 ||