[Png-mng-security] Memory Leaks in libpng

glennrp at comcast.net glennrp at comcast.net
Sun Jul 20 20:21:04 UTC 2008


 -------------- Original message ----------------------
From: Kurt Christensen <hoodel at hoodel.com>
> 
> I have actually observed the behavior in a Purify context. That's how 
> I found it in the first place. Since I am in a crawler application, 
> not a browser application, even small leaks can accumulate to hang 
> the system eventually.

Thanks for this report.

> I performed a kludge/work-around, which modified pngrutil.c and my 
> png_error surrogate. I used two extern flags. One is set in 
> png_handle_<chunk> whenever one of these patterns is encountered, and 
> cleared after the pattern. The other gets set by png_error when the 
> first flag is set, in which case it returns instead of doing the long 
> jump.
> 
> png_handle_<chunk> seeing the second flag set, frees the memory and exits.
> 
> Since this would have to be patched again in any subsequent version 
> of libpng, I thought it better to have the community patch it at the 
> source rather than have me do my work-around, which benefits only me.

I think a more straight-forward approach would be to make the chunkdata
pointer a new member of png_struct, so it could be reliably
freed during the png_read_destroy() process.

Glenn



More information about the png-mng-security-archive mailing list