On Thu, 04 Jun 2026 05:40:47 +0000, Johannes Schneider wrote:
> png_open() set img->data from png_info->image->data and then called
> png_alloc_free_all(), which freed every buffer the picopng allocator
> tracks -- including the decoded pixel buffer. Callers held a
> dangling img->data, and the later png_close() free()'d it again.
>
> Add png_alloc_detach() to drop a tracked address from the allocator
> without freeing it, transferring ownership to the caller, and use it
> in png_open() before png_alloc_free_all() runs.
>
> [...]
Applied, thanks!
[1/1] lib: gui: png_pico: fix use-after-free and double-free in png_open
https://git.pengutronix.de/cgit/barebox/commit/?id=b94f31ff9f3a (link may
not be stable)
Best regards,
--
Sascha Hauer <[email protected]>
