You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When condition at line 539 is satisfied and dmbuf is successfully allocated at line 547, the value of dmbuf is assigned to imbuf at line 557 and is finally assigned to the pointer parameter pixels at line 560 (i.e. the buf's address is passed outside to the caller function).
Now, when the allocation at line 564 failed, the function will return MagickFalse at line 566.
if (sixel_decode(image,(unsigned char*) sixel_buffer,&sixel_pixels,&image->columns,&image->rows,&sixel_palette,&image->colors,exception) ==MagickFalse) // line 1057
{
sixel_buffer=(char*) RelinquishMagickMemory(sixel_buffer);
ThrowReaderException(CorruptImageError,"CorruptImage");
}
sixel_buffer=(char*) RelinquishMagickMemory(sixel_buffer);
image->depth=24;
image->storage_class=PseudoClass;
status=SetImageExtent(image,image->columns,image->rows,exception);
if (status==MagickFalse)
{
sixel_pixels=(unsigned char*) RelinquishMagickMemory(sixel_pixels); // line 1068sixel_palette=(unsigned char*) RelinquishMagickMemory(sixel_palette);
return(DestroyImageList(image));
}
However, when function sixel_decode returned MagickFalse as described above, the memory pointed by sixel_pixels (i.e. the memory allocated at line 547) was not freed as done at line 1068. As a result, a memory leak happens.
Prerequisites
Description
potential memory leak in ReadSIXELImage in sixel.c
Steps to Reproduce
The first critical code snippet is:
https://github.com/ImageMagick/ImageMagick/blob/master/coders/sixel.c#L539
When condition at line 539 is satisfied and dmbuf is successfully allocated at line 547, the value of dmbuf is assigned to imbuf at line 557 and is finally assigned to the pointer parameter pixels at line 560 (i.e. the buf's address is passed outside to the caller function).
Now, when the allocation at line 564 failed, the function will return MagickFalse at line 566.
Next, I searched the whole project code and only found one call to sixel_decode which locates in function ReadSIXELImage in sixel.c at line 1057 as the following. The local variable sixel_pixels holds the value of dmbuf.
https://github.com/ImageMagick/ImageMagick/blob/master/coders/sixel.c#L1057
However, when function sixel_decode returned MagickFalse as described above, the memory pointed by sixel_pixels (i.e. the memory allocated at line 547) was not freed as done at line 1068. As a result, a memory leak happens.
Patch Suggestion:
System Configuration
Credit to Bingchang Liu at VARAS of IIE
The text was updated successfully, but these errors were encountered: