commit 3ec225dd411c1a779089fa558d659cf860d12da0
author Sami Boukortt <sboukortt@google.com> Tue Feb 12 14:17:27 2019 +0100
committer Cosmin Truta <ctruta@gmail.com> Tue Sep 13 14:11:33 2022 +0300
tree 45f6f700ce621b8027ba1e1da3d2bdcbebf08c9c
parent 36bd1bbd549a4b6dd5ed2e1dbf7fd623c0a9797d

Fix a memory leak in png_set_tRNS

This leak was discovered by OSS-Fuzz.

The old structure of the code was along the lines of:

  allocate trans_alpha;
  if (problem) {
    // Jumps away from this function
    png_warning("tRNS chunk has out-of-range samples for bit_depth");
  }
  mark trans_alpha as to-free;

Signed-off-by: Cosmin Truta <ctruta@gmail.com>

AUTHORS

diff --git a/AUTHORS b/AUTHORS
index 45fb425..7b40082 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -36,6 +36,7 @@
    - Matt Sarett
    - Mike Klein
    - Dan Field
+   - Sami Boukortt
 
 The build projects, the build scripts, the test scripts, and other
 files in the "ci", "projects", "scripts" and "tests" directories, have

pngset.c

diff --git a/pngset.c b/pngset.c
index 9f4489b..8c372cf 100644
--- a/pngset.c
+++ b/pngset.c
@@ -1,7 +1,7 @@
 
 /* pngset.c - storage of image information into info struct
  *
- * Copyright (c) 2018 Cosmin Truta
+ * Copyright (c) 2018-2022 Cosmin Truta
  * Copyright (c) 1998-2018 Glenn Randers-Pehrson
  * Copyright (c) 1996-1997 Andreas Dilger
  * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
@@ -1019,6 +1019,9 @@
           info_ptr->trans_alpha = png_voidcast(png_bytep,
               png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH));
           memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans);
+
+          info_ptr->valid |= PNG_INFO_tRNS;
+          info_ptr->free_me |= PNG_FREE_TRNS;
        }
        png_ptr->trans_alpha = info_ptr->trans_alpha;
    }