GNOME Bugzilla – Bug 163348
[pngenc] Leaks and other nasty stuff
Last modified: 2005-01-09 01:39:57 UTC
gst_pngenc_chain() does not unref the buffer it got on most error paths, nor does it free the libpng structures. There are a few places where it can simply corrupt memory on error. Observe this code, from gst_pngenc_chain(): pngenc->png_info_ptr = png_create_info_struct (pngenc->png_struct_ptr); if (!pngenc->png_info_ptr) { png_destroy_read_struct (&(pngenc->png_struct_ptr), (png_infopp) NULL, (png_infopp) NULL); } /* non-0 return is from a longjmp inside of libpng */ if (setjmp (pngenc->png_struct_ptr->jmpbuf) != 0) { GST_DEBUG ("returning from longjmp"); png_destroy_write_struct (&pngenc->png_struct_ptr, &pngenc->png_info_ptr); return; } If setting up png_info_ptr fails, there is no return, but png_struct_ptr is destroyed. That might well result in the next block corrupting memory. Not to mention that in the first block, a struct allocated by png_create_write_struct is destroyed with png_destroy_read_block. Note the write Vs read there. The buffer isn't unref'ed either.
Created attachment 35673 [details] [review] Patch fixing the mentioned problems. This patch fixes all the problems mentioned in the report.
applied, thanks.