Fix a memory leak when decoding corrupted indexed PNGs.
authordml <dml@google.com>
Sat, 7 Mar 2015 00:25:28 +0000 (16:25 -0800)
committerCommit bot <commit-bot@chromium.org>
Sat, 7 Mar 2015 00:25:28 +0000 (16:25 -0800)
Commit to branch refs/heads/png-leak

BUG=skia:3457

Review URL: https://codereview.chromium.org/951663002

gyp/tests.gypi
src/images/SkImageDecoder_libpng.cpp
tests/InvalidIndexedPngTest.cpp [new file with mode: 0644]

index 3acb825da49a0a770f75d395e43d98ce865b3686..d4ca3af476472cae096908104e64613a675dd0b1 100644 (file)
     '../tests/ImageNewShaderTest.cpp',
     '../tests/InfRectTest.cpp',
     '../tests/InterpolatorTest.cpp',
+    '../tests/InvalidIndexedPngTest.cpp',
     '../tests/JpegTest.cpp',
     '../tests/KtxTest.cpp',
     '../tests/LListTest.cpp',
index f9ef6b7942306016c714668555d96b7c3c31fbb3..c074268cffbc996ef1b0f01765402f806504ba8c 100644 (file)
@@ -362,6 +362,12 @@ SkImageDecoder::Result SkPNGImageDecoder::onDecode(SkStream* sk_stream, SkBitmap
 
     SkAutoLockPixels alp(*decodedBitmap);
 
+    // Repeat setjmp, otherwise variables declared since the last call (e.g. alp
+    // and aur) won't get their destructors called in case of a failure.
+    if (setjmp(png_jmpbuf(png_ptr))) {
+        return kFailure;
+    }
+
     /* Turn on interlace handling.  REQUIRED if you are not using
     *  png_read_image().  To see how to handle interlacing passes,
     *  see the png_read_row() method below:
diff --git a/tests/InvalidIndexedPngTest.cpp b/tests/InvalidIndexedPngTest.cpp
new file mode 100644 (file)
index 0000000..ba5b9a2
--- /dev/null
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2015 Google Inc.
+ *
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "SkBitmap.h"
+#include "SkForceLinking.h"
+#include "SkImageDecoder.h"
+#include "Test.h"
+
+// A valid 1x1 indexed PNG.
+unsigned char gPngData[] = {
+  0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a, 0x00, 0x00, 0x00, 0x0d,
+  0x49, 0x48, 0x44, 0x52, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
+  0x08, 0x03, 0x00, 0x00, 0x00, 0x28, 0xcb, 0x34, 0xbb, 0x00, 0x00, 0x00,
+  0x09, 0x70, 0x48, 0x59, 0x73, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00,
+  0x1c, 0x00, 0x0f, 0x01, 0xb9, 0x8f, 0x00, 0x00, 0x00, 0x06, 0x50, 0x4c,
+  0x54, 0x45, 0xff, 0x00, 0x00, 0x00, 0xff, 0x00, 0xd2, 0x87, 0xef, 0x71,
+  0x00, 0x00, 0x00, 0x13, 0x49, 0x44, 0x41, 0x54, 0x78, 0xda, 0xed, 0xfd,
+  0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0xf8, 0xaf, 0x16, 0x46, 0x00,
+  0x02, 0x00, 0x01, 0x32, 0x60, 0xf7, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x49,
+  0x45, 0x4e, 0x44, 0xae, 0x42, 0x60, 0x82
+};
+
+// Attempt to decode an invalid PNG that has a palette. Mostly we're looking to
+// make sure we don't leak memory since libpng uses setjmp for error handling so
+// it's very easy to accidentally skip destructors when a failure happens.
+DEF_TEST(InvalidIndexedPng, reporter) {
+  SkBitmap image;
+  SkForceLinking(false);
+  // Make our PNG invalid by changing a byte.
+  gPngData[sizeof(gPngData) - 1] = 1;
+  bool success = SkImageDecoder::DecodeMemory(
+      gPngData, sizeof(gPngData), &image, SkColorType::kUnknown_SkColorType,
+      SkImageDecoder::kDecodePixels_Mode);
+  REPORTER_ASSERT(reporter, !success);
+}