This is an automated email from the git hooks/post-receive script.
git pushed a commit to branch double-free
in repository legacy-imlib2.
View the commit online.
commit 45deaf9580da7163536e28d6307f0177b7623d4b
Author: NRK <n...@disroot.org>
AuthorDate: Sun Dec 31 09:32:13 2023 +0000
PNG saver: avoid UB on misc.data
if the value of a local variable changes between the setjmp call and the
longjmp call then it has to be marked volatile otherwise it's undefined
behavior. [0]
keep a separate volatile copy of misc.data to avoid slowing down the
regular path.
[0]: https://www.man7.org/linux/man-pages/man3/setjmp.3.html#CAVEATS
---
src/modules/loaders/loader_png.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/modules/loaders/loader_png.c b/src/modules/loaders/loader_png.c
index a291bc1..39eeee7 100644
--- a/src/modules/loaders/loader_png.c
+++ b/src/modules/loaders/loader_png.c
@@ -616,10 +616,15 @@ _save(ImlibImage * im)
int quality = 75, compression = 3;
int pass, n_passes = 1;
int has_alpha;
+ // the value of misc.data pointer changes between setjmp and longjmp in
+ // case of error and thus needs to be volatile in order to avoid UB.
+ // info_ptr and png_ptr don't suffer from this issue.
+ void *volatile misc_data_volatile;
rc = LOAD_FAIL;
info_ptr = NULL;
misc.data = ""
+ misc_data_volatile = NULL;
png_ptr = png_create_write_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL);
if (!png_ptr)
@@ -660,6 +665,7 @@ _save(ImlibImage * im)
interlace, PNG_COMPRESSION_TYPE_BASE,
PNG_FILTER_TYPE_BASE);
misc.data = "" * 3 * sizeof(png_byte));
+ misc_data_volatile = misc.data;
}
sig_bit.red = 8;
sig_bit.green = 8;
@@ -750,7 +756,7 @@ _save(ImlibImage * im)
rc = LOAD_SUCCESS;
quit:
- free(misc.data);
+ free(misc_data_volatile);
png_destroy_write_struct(&png_ptr, &info_ptr);
return rc;
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
