|
 |
50a37d |
From 6adac809e96c8bfeb50a3bd14570a8118bcd5d65 Mon Sep 17 00:00:00 2001
|
|
|
50a37d |
From: Lumir Balhar <lbalhar@redhat.com>
|
|
|
50a37d |
Date: Thu, 13 Sep 2018 12:22:11 +0200
|
|
|
50a37d |
Subject: [PATCH 2/2] Fix potential leaked storage issues (CWE-772)
|
|
|
50a37d |
|
|
|
50a37d |
---
|
|
|
50a37d |
src/Tk/tkImaging.c | 2 ++
|
|
|
50a37d |
src/_imaging.c | 15 +++++++++++++--
|
|
|
50a37d |
src/encode.c | 12 +++++++++---
|
|
|
50a37d |
src/libImaging/Histo.c | 12 +++++++++---
|
|
|
50a37d |
src/libImaging/Quant.c | 2 ++
|
|
|
50a37d |
src/libImaging/QuantOctree.c | 1 +
|
|
|
50a37d |
src/libImaging/Resample.c | 2 ++
|
|
|
50a37d |
src/path.c | 8 ++++++--
|
|
|
50a37d |
8 files changed, 44 insertions(+), 10 deletions(-)
|
|
|
50a37d |
|
|
|
50a37d |
diff --git a/src/Tk/tkImaging.c b/src/Tk/tkImaging.c
|
|
|
50a37d |
index f448be16..10090b0e 100644
|
|
|
50a37d |
--- a/src/Tk/tkImaging.c
|
|
|
50a37d |
+++ b/src/Tk/tkImaging.c
|
|
|
50a37d |
@@ -442,6 +442,7 @@ int load_tkinter_funcs(void)
|
|
|
50a37d |
/* Try loading from the main program namespace first */
|
|
|
50a37d |
main_program = dlopen(NULL, RTLD_LAZY);
|
|
|
50a37d |
if (_func_loader(main_program) == 0) {
|
|
|
50a37d |
+ dlclose(main_program);
|
|
|
50a37d |
return 0;
|
|
|
50a37d |
}
|
|
|
50a37d |
/* Clear exception triggered when we didn't find symbols above */
|
|
|
50a37d |
@@ -470,6 +471,7 @@ int load_tkinter_funcs(void)
|
|
|
50a37d |
/* dlclose probably safe because tkinter has been imported. */
|
|
|
50a37d |
dlclose(tkinter_lib);
|
|
|
50a37d |
exit:
|
|
|
50a37d |
+ dlclose(main_program);
|
|
|
50a37d |
Py_XDECREF(pModule);
|
|
|
50a37d |
Py_XDECREF(pString);
|
|
|
50a37d |
return ret;
|
|
|
50a37d |
diff --git a/src/_imaging.c b/src/_imaging.c
|
|
|
50a37d |
index 11f5f6ea..445470bf 100644
|
|
|
50a37d |
--- a/src/_imaging.c
|
|
|
50a37d |
+++ b/src/_imaging.c
|
|
|
50a37d |
@@ -856,8 +856,10 @@ _gaussian_blur(ImagingObject* self, PyObject* args)
|
|
|
50a37d |
if (!imOut)
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
|
|
|
50a37d |
- if (!ImagingGaussianBlur(imOut, imIn, radius, passes))
|
|
|
50a37d |
+ if (!ImagingGaussianBlur(imOut, imIn, radius, passes)) {
|
|
|
50a37d |
+ ImagingDelete(imOut);
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
+ }
|
|
|
50a37d |
|
|
|
50a37d |
return PyImagingNew(imOut);
|
|
|
50a37d |
}
|
|
|
50a37d |
@@ -1745,8 +1747,10 @@ _box_blur(ImagingObject* self, PyObject* args)
|
|
|
50a37d |
if (!imOut)
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
|
|
|
50a37d |
- if (!ImagingBoxBlur(imOut, imIn, radius, n))
|
|
|
50a37d |
+ if (!ImagingBoxBlur(imOut, imIn, radius, n)) {
|
|
|
50a37d |
+ ImagingDelete(imOut);
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
+ }
|
|
|
50a37d |
|
|
|
50a37d |
return PyImagingNew(imOut);
|
|
|
50a37d |
}
|
|
|
50a37d |
@@ -2386,6 +2390,7 @@ _draw_arc(ImagingDrawObject* self, PyObject* args)
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
if (n != 2) {
|
|
|
50a37d |
PyErr_SetString(PyExc_TypeError, must_be_two_coordinates);
|
|
|
50a37d |
+ free(xy);
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
}
|
|
|
50a37d |
|
|
|
50a37d |
@@ -2423,6 +2428,7 @@ _draw_bitmap(ImagingDrawObject* self, PyObject* args)
|
|
|
50a37d |
PyErr_SetString(PyExc_TypeError,
|
|
|
50a37d |
"coordinate list must contain exactly 1 coordinate"
|
|
|
50a37d |
);
|
|
|
50a37d |
+ free(xy);
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
}
|
|
|
50a37d |
|
|
|
50a37d |
@@ -2458,6 +2464,7 @@ _draw_chord(ImagingDrawObject* self, PyObject* args)
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
if (n != 2) {
|
|
|
50a37d |
PyErr_SetString(PyExc_TypeError, must_be_two_coordinates);
|
|
|
50a37d |
+ free(xy);
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
}
|
|
|
50a37d |
|
|
|
50a37d |
@@ -2493,6 +2500,7 @@ _draw_ellipse(ImagingDrawObject* self, PyObject* args)
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
if (n != 2) {
|
|
|
50a37d |
PyErr_SetString(PyExc_TypeError, must_be_two_coordinates);
|
|
|
50a37d |
+ free(xy);
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
}
|
|
|
50a37d |
|
|
|
50a37d |
@@ -2674,6 +2682,7 @@ _draw_pieslice(ImagingDrawObject* self, PyObject* args)
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
if (n != 2) {
|
|
|
50a37d |
PyErr_SetString(PyExc_TypeError, must_be_two_coordinates);
|
|
|
50a37d |
+ free(xy);
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
}
|
|
|
50a37d |
|
|
|
50a37d |
@@ -2712,6 +2721,7 @@ _draw_polygon(ImagingDrawObject* self, PyObject* args)
|
|
|
50a37d |
PyErr_SetString(PyExc_TypeError,
|
|
|
50a37d |
"coordinate list must contain at least 2 coordinates"
|
|
|
50a37d |
);
|
|
|
50a37d |
+ free(xy);
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
}
|
|
|
50a37d |
|
|
|
50a37d |
@@ -2754,6 +2764,7 @@ _draw_rectangle(ImagingDrawObject* self, PyObject* args)
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
if (n != 2) {
|
|
|
50a37d |
PyErr_SetString(PyExc_TypeError, must_be_two_coordinates);
|
|
|
50a37d |
+ free(xy);
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
}
|
|
|
50a37d |
|
|
|
50a37d |
diff --git a/src/encode.c b/src/encode.c
|
|
|
50a37d |
index ae4277c0..9f7c6592 100644
|
|
|
50a37d |
--- a/src/encode.c
|
|
|
50a37d |
+++ b/src/encode.c
|
|
|
50a37d |
@@ -552,11 +552,15 @@ PyImaging_ZipEncoderNew(PyObject* self, PyObject* args)
|
|
|
50a37d |
dictionary = NULL;
|
|
|
50a37d |
|
|
|
50a37d |
encoder = PyImaging_EncoderNew(sizeof(ZIPSTATE));
|
|
|
50a37d |
- if (encoder == NULL)
|
|
|
50a37d |
+ if (encoder == NULL) {
|
|
|
50a37d |
+ free(dictionary);
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
+ }
|
|
|
50a37d |
|
|
|
50a37d |
- if (get_packer(encoder, mode, rawmode) < 0)
|
|
|
50a37d |
+ if (get_packer(encoder, mode, rawmode) < 0) {
|
|
|
50a37d |
+ free(dictionary);
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
+ }
|
|
|
50a37d |
|
|
|
50a37d |
encoder->encode = ImagingZipEncode;
|
|
|
50a37d |
encoder->cleanup = ImagingZipEncodeCleanup;
|
|
|
50a37d |
@@ -717,8 +721,10 @@ PyImaging_JpegEncoderNew(PyObject* self, PyObject* args)
|
|
|
50a37d |
if (rawExif && rawExifLen > 0) {
|
|
|
50a37d |
/* malloc check ok, length is from python parsearg */
|
|
|
50a37d |
char* pp = malloc(rawExifLen); // Freed in JpegEncode, Case 5
|
|
|
50a37d |
- if (!pp)
|
|
|
50a37d |
+ if (!pp) {
|
|
|
50a37d |
+ if (extra) free(extra);
|
|
|
50a37d |
return PyErr_NoMemory();
|
|
|
50a37d |
+ }
|
|
|
50a37d |
memcpy(pp, rawExif, rawExifLen);
|
|
|
50a37d |
rawExif = pp;
|
|
|
50a37d |
} else
|
|
|
50a37d |
diff --git a/src/libImaging/Histo.c b/src/libImaging/Histo.c
|
|
|
50a37d |
index 2b35873e..b7c1a983 100644
|
|
|
50a37d |
--- a/src/libImaging/Histo.c
|
|
|
50a37d |
+++ b/src/libImaging/Histo.c
|
|
|
50a37d |
@@ -82,8 +82,10 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax)
|
|
|
50a37d |
h->histogram[im->image8[y][x]]++;
|
|
|
50a37d |
ImagingSectionLeave(&cookie);
|
|
|
50a37d |
} else { /* yes, we need the braces. C isn't Python! */
|
|
|
50a37d |
- if (im->type != IMAGING_TYPE_UINT8)
|
|
|
50a37d |
+ if (im->type != IMAGING_TYPE_UINT8) {
|
|
|
50a37d |
+ ImagingHistogramDelete(h);
|
|
|
50a37d |
return ImagingError_ModeError();
|
|
|
50a37d |
+ }
|
|
|
50a37d |
ImagingSectionEnter(&cookie);
|
|
|
50a37d |
for (y = 0; y < im->ysize; y++) {
|
|
|
50a37d |
UINT8* in = (UINT8*) im->image32[y];
|
|
|
50a37d |
@@ -122,8 +124,10 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax)
|
|
|
50a37d |
ImagingSectionLeave(&cookie);
|
|
|
50a37d |
break;
|
|
|
50a37d |
case IMAGING_TYPE_INT32:
|
|
|
50a37d |
- if (!minmax)
|
|
|
50a37d |
+ if (!minmax) {
|
|
|
50a37d |
+ ImagingHistogramDelete(h);
|
|
|
50a37d |
return ImagingError_ValueError("min/max not given");
|
|
|
50a37d |
+ }
|
|
|
50a37d |
if (!im->xsize || !im->ysize)
|
|
|
50a37d |
break;
|
|
|
50a37d |
imin = ((INT32*) minmax)[0];
|
|
|
50a37d |
@@ -143,8 +147,10 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax)
|
|
|
50a37d |
ImagingSectionLeave(&cookie);
|
|
|
50a37d |
break;
|
|
|
50a37d |
case IMAGING_TYPE_FLOAT32:
|
|
|
50a37d |
- if (!minmax)
|
|
|
50a37d |
+ if (!minmax) {
|
|
|
50a37d |
+ ImagingHistogramDelete(h);
|
|
|
50a37d |
return ImagingError_ValueError("min/max not given");
|
|
|
50a37d |
+ }
|
|
|
50a37d |
if (!im->xsize || !im->ysize)
|
|
|
50a37d |
break;
|
|
|
50a37d |
fmin = ((FLOAT32*) minmax)[0];
|
|
|
50a37d |
diff --git a/src/libImaging/Quant.c b/src/libImaging/Quant.c
|
|
|
50a37d |
index df313816..b94dc6e1 100644
|
|
|
50a37d |
--- a/src/libImaging/Quant.c
|
|
|
50a37d |
+++ b/src/libImaging/Quant.c
|
|
|
50a37d |
@@ -568,6 +568,8 @@ split(BoxNode *node)
|
|
|
50a37d |
left=malloc(sizeof(BoxNode));
|
|
|
50a37d |
right=malloc(sizeof(BoxNode));
|
|
|
50a37d |
if (!left||!right) {
|
|
|
50a37d |
+ free(left);
|
|
|
50a37d |
+ free(right);
|
|
|
50a37d |
return 0;
|
|
|
50a37d |
}
|
|
|
50a37d |
for(i=0;i<3;i++) {
|
|
|
50a37d |
diff --git a/src/libImaging/QuantOctree.c b/src/libImaging/QuantOctree.c
|
|
|
50a37d |
index e18ab3c6..d778c942 100644
|
|
|
50a37d |
--- a/src/libImaging/QuantOctree.c
|
|
|
50a37d |
+++ b/src/libImaging/QuantOctree.c
|
|
|
50a37d |
@@ -470,6 +470,7 @@ error:
|
|
|
50a37d |
free(qp);
|
|
|
50a37d |
free_color_cube(lookupCube);
|
|
|
50a37d |
free_color_cube(coarseLookupCube);
|
|
|
50a37d |
+ free(paletteBuckets);
|
|
|
50a37d |
free(paletteBucketsCoarse);
|
|
|
50a37d |
free(paletteBucketsFine);
|
|
|
50a37d |
free_color_cube(coarseCube);
|
|
|
50a37d |
diff --git a/src/libImaging/Resample.c b/src/libImaging/Resample.c
|
|
|
50a37d |
index cda005d9..b90395e8 100644
|
|
|
50a37d |
--- a/src/libImaging/Resample.c
|
|
|
50a37d |
+++ b/src/libImaging/Resample.c
|
|
|
50a37d |
@@ -538,6 +538,8 @@ ImagingResampleInner(Imaging imIn, int xsize, int ysize,
|
|
|
50a37d |
if ( ! ksize_vert) {
|
|
|
50a37d |
free(bounds_horiz);
|
|
|
50a37d |
free(kk_horiz);
|
|
|
50a37d |
+ free(bounds_vert);
|
|
|
50a37d |
+ free(kk_vert);
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
}
|
|
|
50a37d |
|
|
|
50a37d |
diff --git a/src/path.c b/src/path.c
|
|
|
50a37d |
index b56ea838..5984a3d1 100644
|
|
|
50a37d |
--- a/src/path.c
|
|
|
50a37d |
+++ b/src/path.c
|
|
|
50a37d |
@@ -82,12 +82,16 @@ path_new(Py_ssize_t count, double* xy, int duplicate)
|
|
|
50a37d |
xy = p;
|
|
|
50a37d |
}
|
|
|
50a37d |
|
|
|
50a37d |
- if (PyType_Ready(&PyPathType) < 0)
|
|
|
50a37d |
+ if (PyType_Ready(&PyPathType) < 0) {
|
|
|
50a37d |
+ free(xy);
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
+ }
|
|
|
50a37d |
|
|
|
50a37d |
path = PyObject_New(PyPathObject, &PyPathType);
|
|
|
50a37d |
- if (path == NULL)
|
|
|
50a37d |
+ if (path == NULL) {
|
|
|
50a37d |
+ free(xy);
|
|
|
50a37d |
return NULL;
|
|
|
50a37d |
+ }
|
|
|
50a37d |
|
|
|
50a37d |
path->count = count;
|
|
|
50a37d |
path->xy = xy;
|
|
|
50a37d |
--
|
|
|
50a37d |
2.17.1
|
|
|
50a37d |
|