From e999bbae43fc4fd0bdf24c3117574eb75216f0d9 Mon Sep 17 00:00:00 2001 From: Jay Berkenbilt Date: Mon, 28 Aug 2017 22:06:15 -0400 Subject: Fix memory leak with bad jpeg data --- include/qpdf/Pl_DCT.hh | 4 ++-- libqpdf/Pl_DCT.cc | 10 +++++++--- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/include/qpdf/Pl_DCT.hh b/include/qpdf/Pl_DCT.hh index 65b8762f..f9f6dbf4 100644 --- a/include/qpdf/Pl_DCT.hh +++ b/include/qpdf/Pl_DCT.hh @@ -49,8 +49,8 @@ class Pl_DCT: public Pipeline virtual void finish(); private: - void compress(void* cinfo, PointerHolder); - void decompress(void* cinfo, PointerHolder); + void compress(void* cinfo, Buffer*); + void decompress(void* cinfo, Buffer*); enum action_e { a_compress, a_decompress }; diff --git a/libqpdf/Pl_DCT.cc b/libqpdf/Pl_DCT.cc index 121ee273..b341939e 100644 --- a/libqpdf/Pl_DCT.cc +++ b/libqpdf/Pl_DCT.cc @@ -66,7 +66,6 @@ void Pl_DCT::finish() { this->buf.finish(); - PointerHolder b = this->buf.getBuffer(); struct jpeg_compress_struct cinfo_compress; struct jpeg_decompress_struct cinfo_decompress; @@ -77,6 +76,10 @@ Pl_DCT::finish() jerr.pub.error_exit = error_handler; bool error = false; + // Using a PointerHolder here and passing it into compress + // and decompress causes a memory leak with setjmp/longjmp. Just + // use a pointer and delete it. + Buffer* b = this->buf.getBuffer(); if (setjmp(jerr.jmpbuf) == 0) { if (this->action == a_compress) @@ -92,6 +95,7 @@ Pl_DCT::finish() { error = true; } + delete b; if (this->action == a_compress) { @@ -127,7 +131,7 @@ class Freer }; void -Pl_DCT::compress(void* cinfo_p, PointerHolder b) +Pl_DCT::compress(void* cinfo_p, Buffer* b) { struct jpeg_compress_struct* cinfo = reinterpret_cast(cinfo_p); @@ -183,7 +187,7 @@ Pl_DCT::compress(void* cinfo_p, PointerHolder b) } void -Pl_DCT::decompress(void* cinfo_p, PointerHolder b) +Pl_DCT::decompress(void* cinfo_p, Buffer* b) { struct jpeg_decompress_struct* cinfo = reinterpret_cast(cinfo_p); -- cgit v1.2.3-54-g00ecf