Call png_image_free_function without guarding it with png_safe_execute

png_image_free_function (or any other destructor) should never fail. Destructors need not and must not be executed under png_safe_execute. Reference: CVE-2019-7317, use-after-free in png_image_free Upstream commit: pnggroup/libpng@9c0d5c7 pnggroup/libpng#275 Change-Id: I1f8f39bb80e8be17aaa565c8efc28a93d56b0b12
LineageOS · May 14, 2019 · 76f2acf · 76f2acf
1 parent 6e267ff
commit 76f2acf
Showing 1 changed file with 1 addition and 2 deletions.
diff --git a/png.c b/png.c
@@ -4594,8 +4594,7 @@ png_image_free(png_imagep image)
    if (image != NULL && image->opaque != NULL &&
       image->opaque->error_buf == NULL)
    {
-      /* Ignore errors here: */
-      (void)png_safe_execute(image, png_image_free_function, image);
+      png_image_free_function(image);
       image->opaque = NULL;
    }
 }