pcd_table[i] is allocated at line 202, however, pcd_table[0~i] are forgot to be freed when exception happens at line 204 or function returns at line 215. pcd_table is a local array variable and it isn't passed to the caller function when DecodeImage returns with MagickFalse at line 207 and 218. As a result, the allocated memory pcd_table[0~(i-1)] (or pcd_table[0~i] when returned at line 218) will not be freed and memory leak happens.
The max size of leaked memory is 3*(0xff+1)*sizeof(*pcd_table[0])
The patch suggestion:
if (pcd_table[i] == (PCDTable *) NULL) //line 204
{
buffer=(unsignedchar *) RelinquishMagickMemory(buffer);
for (k=0; k < i; k++)
pcd_table[k] = (PCDTable *)RelinquishMagickMemory(pcd_table[k]);
ThrowBinaryException(ResourceLimitError,"MemoryAllocationFailed",
image->filename);
}
if (r->length > 16)
{
buffer=(unsignedchar *) RelinquishMagickMemory(buffer);
for (k=0; k <= i; k++)
pcd_table[k] = (PCDTable *)RelinquishMagickMemory(pcd_table[k]);
return(MagickFalse);
}
Prerequisites
Description
memory leak in DecodeImage in coders/pcd.c, which is different from #1193 and #811
Steps to Reproduce
The critical code snippet is:
https://github.com/ImageMagick/ImageMagick/blob/master/coders/pcd.c#L198
pcd_table[i] is allocated at line 202, however, pcd_table[0~i] are forgot to be freed when exception happens at line 204 or function returns at line 215. pcd_table is a local array variable and it isn't passed to the caller function when DecodeImage returns with MagickFalse at line 207 and 218. As a result, the allocated memory pcd_table[0~(i-1)] (or pcd_table[0~i] when returned at line 218) will not be freed and memory leak happens.
The max size of leaked memory is 3*(0xff+1)*sizeof(*pcd_table[0])
The patch suggestion:
System Configuration
Credit to Bingchang Liu at VARAS of IIE
The text was updated successfully, but these errors were encountered: