[libpng16] Avoid possible NULL dereference in png_handle_eXIf when be…

…nign_errors

are allowed. Avoid leaking the input buffer "eXIf_buf".

ANNOUNCE

@@ -1,4 +1,4 @@
-Libpng 1.6.32beta01 - July 27, 2017
+Libpng 1.6.32beta01 - July 31, 2017
 
 This is not intended to be a public release. It will be replaced
 within a few weeks by a public version or by another test version.
@@ -25,7 +25,9 @@ Other information:
 
 Changes since the last public release (1.6.31):
 
-Version 1.6.32beta01 [July 27, 2017]
+Version 1.6.32beta01 [July 31, 2017]
+  Avoid possible NULL dereference in png_handle_eXIf when benign_errors
+    are allowed. Avoid leaking the input buffer "eXIf_buf".
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

CHANGES

@@ -5908,7 +5908,9 @@ Version 1.6.31rc02 [July 25, 2017]
 Version 1.6.31 [July 27, 2017]
   No changes.
 
-Version 1.6.32beta01 [July 27, 2017]
+Version 1.6.32beta01 [July 31, 2017]
+  Avoid possible NULL dereference in png_handle_eXIf when benign_errors
+    are allowed. Avoid leaking the input buffer "eXIf_buf".
 
 Send comments/corrections/commendations to png-mng-implement at lists.sf.net
 (subscription required; visit

pngrutil.c

@@ -2021,7 +2021,7 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
    if ((png_ptr->mode & PNG_HAVE_IHDR) == 0)
       png_chunk_error(png_ptr, "missing IHDR");
 
-   else if (info_ptr != NULL && (info_ptr->valid & PNG_INFO_eXIf) != 0)
+   else if (info_ptr == NULL || (info_ptr->valid & PNG_INFO_eXIf) != 0)
    {
       png_crc_finish(png_ptr, length);
       png_chunk_benign_error(png_ptr, "duplicate");
@@ -2044,6 +2044,8 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length)
    info_ptr->num_exif = length;
 
    png_set_eXIf(png_ptr, info_ptr, eXIf_buf);
+
+   png_free(png_ptr, eXIf_buf);
 }
 #endif