diff options
author | Jay Berkenbilt <ejb@ql.org> | 2017-08-29 04:06:15 +0200 |
---|---|---|
committer | Jay Berkenbilt <ejb@ql.org> | 2017-08-29 04:16:45 +0200 |
commit | e999bbae43fc4fd0bdf24c3117574eb75216f0d9 (patch) | |
tree | f4f67ee0286f3855f966e76882746f65ee6092e2 /libqpdf | |
parent | c6872d2c700a9d27105debe93662ecaaf8beb3bd (diff) | |
download | qpdf-e999bbae43fc4fd0bdf24c3117574eb75216f0d9.tar.zst |
Fix memory leak with bad jpeg data
Diffstat (limited to 'libqpdf')
-rw-r--r-- | libqpdf/Pl_DCT.cc | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/libqpdf/Pl_DCT.cc b/libqpdf/Pl_DCT.cc index 121ee273..b341939e 100644 --- a/libqpdf/Pl_DCT.cc +++ b/libqpdf/Pl_DCT.cc @@ -66,7 +66,6 @@ void Pl_DCT::finish() { this->buf.finish(); - PointerHolder<Buffer> b = this->buf.getBuffer(); struct jpeg_compress_struct cinfo_compress; struct jpeg_decompress_struct cinfo_decompress; @@ -77,6 +76,10 @@ Pl_DCT::finish() jerr.pub.error_exit = error_handler; bool error = false; + // Using a PointerHolder<Buffer> here and passing it into compress + // and decompress causes a memory leak with setjmp/longjmp. Just + // use a pointer and delete it. + Buffer* b = this->buf.getBuffer(); if (setjmp(jerr.jmpbuf) == 0) { if (this->action == a_compress) @@ -92,6 +95,7 @@ Pl_DCT::finish() { error = true; } + delete b; if (this->action == a_compress) { @@ -127,7 +131,7 @@ class Freer }; void -Pl_DCT::compress(void* cinfo_p, PointerHolder<Buffer> b) +Pl_DCT::compress(void* cinfo_p, Buffer* b) { struct jpeg_compress_struct* cinfo = reinterpret_cast<jpeg_compress_struct*>(cinfo_p); @@ -183,7 +187,7 @@ Pl_DCT::compress(void* cinfo_p, PointerHolder<Buffer> b) } void -Pl_DCT::decompress(void* cinfo_p, PointerHolder<Buffer> b) +Pl_DCT::decompress(void* cinfo_p, Buffer* b) { struct jpeg_decompress_struct* cinfo = reinterpret_cast<jpeg_decompress_struct*>(cinfo_p); |