[Png-mng-security] Memory Leaks in libpng
glennrp at comcast.net
glennrp at comcast.net
Sun Jul 20 11:59:50 UTC 2008
-------------- Original message ----------------------
From: Greg Roelofs <newt at pobox.com>
> Kurt Christensen <hoodel at hoodel.com> wrote:
>
> > Greg,
>
> > I have found several places where memory could leak in the libpng src.
> > These all stem from pngrutil.c.
> > [...]
> > If png_crc_read or png_crc_finish encounter a premature end of file,
> > png_error is called with no return, and hence png_free never gets called.
> > Similar constructs exist [...]
Have you actually observed the behavior? It seems to me that
png_free() will be called during the png_destroy_read_struct() that
is supposed to be included by the application in the setjmp()
block. See example.c and other test programs that are included
in libpng distribution. If applications fail to clean up there, they will
have worse leaks (the entire png_struct, for example) than this.
Glenn
More information about the png-mng-security-archive
mailing list