From 6adac809e96c8bfeb50a3bd14570a8118bcd5d65 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Thu, 13 Sep 2018 12:22:11 +0200 Subject: [PATCH 2/2] Fix potential leaked storage issues (CWE-772) --- src/Tk/tkImaging.c | 2 ++ src/_imaging.c | 15 +++++++++++++-- src/encode.c | 12 +++++++++--- src/libImaging/Histo.c | 12 +++++++++--- src/libImaging/Quant.c | 2 ++ src/libImaging/QuantOctree.c | 1 + src/libImaging/Resample.c | 2 ++ src/path.c | 8 ++++++-- 8 files changed, 44 insertions(+), 10 deletions(-) diff --git a/src/Tk/tkImaging.c b/src/Tk/tkImaging.c index f448be16..10090b0e 100644 --- a/src/Tk/tkImaging.c +++ b/src/Tk/tkImaging.c @@ -442,6 +442,7 @@ int load_tkinter_funcs(void) /* Try loading from the main program namespace first */ main_program = dlopen(NULL, RTLD_LAZY); if (_func_loader(main_program) == 0) { + dlclose(main_program); return 0; } /* Clear exception triggered when we didn't find symbols above */ @@ -470,6 +471,7 @@ int load_tkinter_funcs(void) /* dlclose probably safe because tkinter has been imported. */ dlclose(tkinter_lib); exit: + dlclose(main_program); Py_XDECREF(pModule); Py_XDECREF(pString); return ret; diff --git a/src/_imaging.c b/src/_imaging.c index 11f5f6ea..445470bf 100644 --- a/src/_imaging.c +++ b/src/_imaging.c @@ -856,8 +856,10 @@ _gaussian_blur(ImagingObject* self, PyObject* args) if (!imOut) return NULL; - if (!ImagingGaussianBlur(imOut, imIn, radius, passes)) + if (!ImagingGaussianBlur(imOut, imIn, radius, passes)) { + ImagingDelete(imOut); return NULL; + } return PyImagingNew(imOut); } @@ -1745,8 +1747,10 @@ _box_blur(ImagingObject* self, PyObject* args) if (!imOut) return NULL; - if (!ImagingBoxBlur(imOut, imIn, radius, n)) + if (!ImagingBoxBlur(imOut, imIn, radius, n)) { + ImagingDelete(imOut); return NULL; + } return PyImagingNew(imOut); } @@ -2386,6 +2390,7 @@ _draw_arc(ImagingDrawObject* self, PyObject* args) return NULL; if (n != 2) { PyErr_SetString(PyExc_TypeError, must_be_two_coordinates); + free(xy); return NULL; } @@ -2423,6 +2428,7 @@ _draw_bitmap(ImagingDrawObject* self, PyObject* args) PyErr_SetString(PyExc_TypeError, "coordinate list must contain exactly 1 coordinate" ); + free(xy); return NULL; } @@ -2458,6 +2464,7 @@ _draw_chord(ImagingDrawObject* self, PyObject* args) return NULL; if (n != 2) { PyErr_SetString(PyExc_TypeError, must_be_two_coordinates); + free(xy); return NULL; } @@ -2493,6 +2500,7 @@ _draw_ellipse(ImagingDrawObject* self, PyObject* args) return NULL; if (n != 2) { PyErr_SetString(PyExc_TypeError, must_be_two_coordinates); + free(xy); return NULL; } @@ -2674,6 +2682,7 @@ _draw_pieslice(ImagingDrawObject* self, PyObject* args) return NULL; if (n != 2) { PyErr_SetString(PyExc_TypeError, must_be_two_coordinates); + free(xy); return NULL; } @@ -2712,6 +2721,7 @@ _draw_polygon(ImagingDrawObject* self, PyObject* args) PyErr_SetString(PyExc_TypeError, "coordinate list must contain at least 2 coordinates" ); + free(xy); return NULL; } @@ -2754,6 +2764,7 @@ _draw_rectangle(ImagingDrawObject* self, PyObject* args) return NULL; if (n != 2) { PyErr_SetString(PyExc_TypeError, must_be_two_coordinates); + free(xy); return NULL; } diff --git a/src/encode.c b/src/encode.c index ae4277c0..9f7c6592 100644 --- a/src/encode.c +++ b/src/encode.c @@ -552,11 +552,15 @@ PyImaging_ZipEncoderNew(PyObject* self, PyObject* args) dictionary = NULL; encoder = PyImaging_EncoderNew(sizeof(ZIPSTATE)); - if (encoder == NULL) + if (encoder == NULL) { + free(dictionary); return NULL; + } - if (get_packer(encoder, mode, rawmode) < 0) + if (get_packer(encoder, mode, rawmode) < 0) { + free(dictionary); return NULL; + } encoder->encode = ImagingZipEncode; encoder->cleanup = ImagingZipEncodeCleanup; @@ -717,8 +721,10 @@ PyImaging_JpegEncoderNew(PyObject* self, PyObject* args) if (rawExif && rawExifLen > 0) { /* malloc check ok, length is from python parsearg */ char* pp = malloc(rawExifLen); // Freed in JpegEncode, Case 5 - if (!pp) + if (!pp) { + if (extra) free(extra); return PyErr_NoMemory(); + } memcpy(pp, rawExif, rawExifLen); rawExif = pp; } else diff --git a/src/libImaging/Histo.c b/src/libImaging/Histo.c index 2b35873e..b7c1a983 100644 --- a/src/libImaging/Histo.c +++ b/src/libImaging/Histo.c @@ -82,8 +82,10 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax) h->histogram[im->image8[y][x]]++; ImagingSectionLeave(&cookie); } else { /* yes, we need the braces. C isn't Python! */ - if (im->type != IMAGING_TYPE_UINT8) + if (im->type != IMAGING_TYPE_UINT8) { + ImagingHistogramDelete(h); return ImagingError_ModeError(); + } ImagingSectionEnter(&cookie); for (y = 0; y < im->ysize; y++) { UINT8* in = (UINT8*) im->image32[y]; @@ -122,8 +124,10 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax) ImagingSectionLeave(&cookie); break; case IMAGING_TYPE_INT32: - if (!minmax) + if (!minmax) { + ImagingHistogramDelete(h); return ImagingError_ValueError("min/max not given"); + } if (!im->xsize || !im->ysize) break; imin = ((INT32*) minmax)[0]; @@ -143,8 +147,10 @@ ImagingGetHistogram(Imaging im, Imaging imMask, void* minmax) ImagingSectionLeave(&cookie); break; case IMAGING_TYPE_FLOAT32: - if (!minmax) + if (!minmax) { + ImagingHistogramDelete(h); return ImagingError_ValueError("min/max not given"); + } if (!im->xsize || !im->ysize) break; fmin = ((FLOAT32*) minmax)[0]; diff --git a/src/libImaging/Quant.c b/src/libImaging/Quant.c index df313816..b94dc6e1 100644 --- a/src/libImaging/Quant.c +++ b/src/libImaging/Quant.c @@ -568,6 +568,8 @@ split(BoxNode *node) left=malloc(sizeof(BoxNode)); right=malloc(sizeof(BoxNode)); if (!left||!right) { + free(left); + free(right); return 0; } for(i=0;i<3;i++) { diff --git a/src/libImaging/QuantOctree.c b/src/libImaging/QuantOctree.c index e18ab3c6..d778c942 100644 --- a/src/libImaging/QuantOctree.c +++ b/src/libImaging/QuantOctree.c @@ -470,6 +470,7 @@ error: free(qp); free_color_cube(lookupCube); free_color_cube(coarseLookupCube); + free(paletteBuckets); free(paletteBucketsCoarse); free(paletteBucketsFine); free_color_cube(coarseCube); diff --git a/src/libImaging/Resample.c b/src/libImaging/Resample.c index cda005d9..b90395e8 100644 --- a/src/libImaging/Resample.c +++ b/src/libImaging/Resample.c @@ -538,6 +538,8 @@ ImagingResampleInner(Imaging imIn, int xsize, int ysize, if ( ! ksize_vert) { free(bounds_horiz); free(kk_horiz); + free(bounds_vert); + free(kk_vert); return NULL; } diff --git a/src/path.c b/src/path.c index b56ea838..5984a3d1 100644 --- a/src/path.c +++ b/src/path.c @@ -82,12 +82,16 @@ path_new(Py_ssize_t count, double* xy, int duplicate) xy = p; } - if (PyType_Ready(&PyPathType) < 0) + if (PyType_Ready(&PyPathType) < 0) { + free(xy); return NULL; + } path = PyObject_New(PyPathObject, &PyPathType); - if (path == NULL) + if (path == NULL) { + free(xy); return NULL; + } path->count = count; path->xy = xy; -- 2.17.1