Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Double free problem #673

Merged
merged 2 commits into from Aug 25, 2019
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Prev
Do not realloc array if new raster size is 0.
if realloc() is called with 0 size it may return NULL and this will be incorrectly handled
as not enough memory and (also) rasterBits will be freed by realloc but we will not update
it.
  • Loading branch information
os97673 committed Aug 14, 2019
commit 4944c92761e0a14f04868cbcf4f4e86fd4b7a4a9
10 changes: 8 additions & 2 deletions android-gif-drawable/src/main/c/decoding.c
Expand Up @@ -56,9 +56,15 @@ void DDGifSlurp(GifInfo *info, bool decode, bool exitAfterFrame) {
}

if (decode) {
int_fast32_t widthOverflow = gifFilePtr->Image.Width - info->originalWidth;
int_fast32_t heightOverflow = gifFilePtr->Image.Height - info->originalHeight;
const uint_fast32_t newRasterSize = gifFilePtr->Image.Width * gifFilePtr->Image.Height;
if (newRasterSize == 0) {
free(info->rasterBits);
info->rasterBits = NULL;
info->rasterSize = newRasterSize;
return;
}
const int_fast32_t widthOverflow = gifFilePtr->Image.Width - info->originalWidth;
const int_fast32_t heightOverflow = gifFilePtr->Image.Height - info->originalHeight;
if (newRasterSize > info->rasterSize || widthOverflow > 0 || heightOverflow > 0) {
void *tmpRasterBits = reallocarray(info->rasterBits, newRasterSize, sizeof(GifPixelType));
if (tmpRasterBits == NULL) {
Expand Down