In libpng version 1.6.37 , there is a memory leak in png2pnm.c while processing the corrupted PNG image
libpng error: PNG unsigned integer out of range
PNG2PNM
Error: unsuccessful conversion of PNG-image
=================================================================
==17967==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 256 byte(s) in 1 object(s) allocated from:
#0 0x4bac13 in malloc /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x4e9ea8 in png2pnm /opt/libpng-1.6.37/contrib/pngminus/png2pnm.c:307:8
#2 0x4e86cc in main /opt/libpng-1.6.37/contrib/pngminus/png2pnm.c:122:7
#3 0x7fa0d8dff83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
Indirect leak of 4096 byte(s) in 1 object(s) allocated from:
#0 0x4bac13 in malloc /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x4e9e8b in png2pnm /opt/libpng-1.6.37/contrib/pngminus/png2pnm.c:300:8
#2 0x4e86cc in main /opt/libpng-1.6.37/contrib/pngminus/png2pnm.c:122:7
#3 0x7fa0d8dff83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
SUMMARY: AddressSanitizer: 4352 byte(s) leaked in 2 allocation(s).
Memory is allocated in the code below in png2pnm.c:307
if ((row_pointers = (png_byte *)
malloc ((size_t) height * sizeof (png_byte ))) == NULL)
{
png_destroy_read_struct (&png_ptr, &info_ptr, NULL);
free (png_pixels);
return FALSE;
}
Perhaps while processing the corrupted PNG image , it is not able to conver into PNM file and does not free the memory before exiting :
if (png2pnm (fp_rd, fp_wr, fp_al, raw, alpha) == FALSE)
{
fprintf (stderr, "PNG2PNM\n");
fprintf (stderr, "Error: unsuccessful conversion of PNG-image\n");
exit (1);
}
Can some one take a look into this and confirm the issue ? Library version is 1.6.37
Attached POC file with corrected CRC . This should be able to reproduce the issue.