diff options
author | Cosmin Truta <ctruta@gmail.com> | 2019-02-03 22:40:56 -0500 |
---|---|---|
committer | Cosmin Truta <ctruta@gmail.com> | 2019-02-03 22:40:56 -0500 |
commit | 9c0d5c77bf5bf2d7c1e11f388de40a70e0191550 (patch) | |
tree | 72e2e0c455f684527aae176a5886ed49e8609020 | |
parent | 8439534daa1d3a5705ba92e653eda9251246dd61 (diff) | |
download | libpng-9c0d5c77bf5bf2d7c1e11f388de40a70e0191550.tar.gz |
Call png_image_free_function without guarding it with png_safe_execute
png_image_free_function (or any other destructor) should never fail.
Destructors need not and must not be executed under png_safe_execute.
Reference: CVE-2019-7317, use-after-free in png_image_free
-rw-r--r-- | png.c | 3 |
1 files changed, 1 insertions, 2 deletions
@@ -4588,8 +4588,7 @@ png_image_free(png_imagep image) if (image != NULL && image->opaque != NULL && image->opaque->error_buf == NULL) { - /* Ignore errors here: */ - (void)png_safe_execute(image, png_image_free_function, image); + png_image_free_function(image); image->opaque = NULL; } } |