ref: 5327092bb28b6df742386d75555ba3ccc6d05ce6
parent: 04ebb2a000ee40df2a9900198ec62d79af745b1f
author: Nikhil Ramakrishnan <ramakrishnan.nikhil@gmail.com>
date: Fri Sep 20 02:30:28 EDT 2019
[woff2] Fix memory leaks. Reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16896 * src/sfnt/sfwoff2.c (woff2_open_font): Fix error handling. Free `uncompressed_buf'. (reconstruct_font): Free `transformed_buf'.
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2019-09-20 Nikhil Ramakrishnan <ramakrishnan.nikhil@gmail.com>
+
+ [woff2] Fix memory leaks.
+
+ Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16896
+
+ * src/sfnt/sfwoff2.c (woff2_open_font): Fix error handling.
+ Free `uncompressed_buf'.
+ (reconstruct_font): Free `transformed_buf'.
+
2019-09-17 Werner Lemberg <wl@gnu.org>
* src/otvalid/otvcommon.c (otv_Coverage_get_last): Guard `count'.
--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
@@ -1706,6 +1706,7 @@
FT_FREE( table_entry );
FT_Stream_Close( stream );
FT_FREE( stream );
+ FT_FREE( transformed_buf );
return error;
}
@@ -2170,11 +2171,12 @@
woff2.uncompressed_size,
stream->cursor,
woff2.totalCompressedSize );
- if ( error )
- goto Exit;
FT_FRAME_EXIT();
+ if ( error )
+ goto Exit;
+
error = reconstruct_font( uncompressed_buf,
woff2.uncompressed_size,
indices,
@@ -2183,6 +2185,9 @@
&sfnt,
&sfnt_size,
memory );
+
+ uncompressed_buf = NULL;
+
if ( error )
goto Exit;
@@ -2221,6 +2226,7 @@
Exit:
FT_FREE( tables );
FT_FREE( indices );
+ FT_FREE( uncompressed_buf );
if ( error )
{