[gstreamer-bugs] [Bug 163348] New: [pngenc] Leaks and other nasty stuff
bugzilla-daemon at bugzilla.gnome.org
bugzilla-daemon at bugzilla.gnome.org
Sat Jan 8 09:12:06 PST 2005
Please DO NOT reply to this by email. All additional comments should be made in
the comments box of this bug report.
http://bugzilla.gnome.org/show_bug.cgi?id=163348
GStreamer | gst-plugins | Ver: HEAD CVS
Summary: [pngenc] Leaks and other nasty stuff
Product: GStreamer
Version: HEAD CVS
Platform: Other
OS/Version: Linux
Status: UNCONFIRMED
Severity: major
Priority: Normal
Component: gst-plugins
AssignedTo: gstreamer-bugs at lists.sourceforge.net
ReportedBy: algernon at bonehunter.rulez.org
QAContact: gstreamer-bugs at lists.sourceforge.net
CC: all-bugs at bugzilla.gnome.org
gst_pngenc_chain() does not unref the buffer it got on most error paths, nor
does it free the libpng structures. There are a few places where it can simply
corrupt memory on error. Observe this code, from gst_pngenc_chain():
pngenc->png_info_ptr = png_create_info_struct (pngenc->png_struct_ptr);
if (!pngenc->png_info_ptr) {
png_destroy_read_struct (&(pngenc->png_struct_ptr), (png_infopp) NULL,
(png_infopp) NULL);
}
/* non-0 return is from a longjmp inside of libpng */
if (setjmp (pngenc->png_struct_ptr->jmpbuf) != 0) {
GST_DEBUG ("returning from longjmp");
png_destroy_write_struct (&pngenc->png_struct_ptr, &pngenc->png_info_ptr);
return;
}
If setting up png_info_ptr fails, there is no return, but png_struct_ptr is
destroyed. That might well result in the next block corrupting memory. Not to
mention that in the first block, a struct allocated by png_create_write_struct
is destroyed with png_destroy_read_block. Note the write Vs read there. The
buffer isn't unref'ed either.
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are the QA contact for the bug.
More information about the Gstreamer-bugs
mailing list