Fix memory leaks with duplicate attribute names

while parsing a header, if someone has injected a duplicate attribute name as an attack vector, fix memory leak for certain attribute types Signed-off-by: Kimball Thurston <[email protected]>
AcademySoftwareFoundation · Sep 25, 2021 · 54075eb · 54075eb
1 parent b1b79cd
commit 54075eb
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/src/lib/OpenEXRCore/parse_header.c b/src/lib/OpenEXRCore/parse_header.c
@@ -433,6 +433,8 @@ extract_attr_float_vector (
 
     if (rv == EXR_ERR_SUCCESS && n > 0)
     {
+        /* in case of duplicate attr name in header (mostly fuzz testing) */
+        exr_attr_float_vector_destroy ((exr_context_t) ctxt, attrdata);
         rv = exr_attr_float_vector_init ((exr_context_t) ctxt, attrdata, n);
         if (rv != EXR_ERR_SUCCESS) return rv;
 
@@ -572,14 +574,17 @@ extract_attr_string_vector (
         pulled += nlen;
     }
 
+    // just in case someone injected a duplicate attribute name into the header
+    exr_attr_string_vector_destroy ((exr_context_t) ctxt, attrdata);
     attrdata->n_strings  = nstr;
     attrdata->alloc_size = nalloced;
     attrdata->strings    = clist;
-    return 0;
+    return EXR_ERR_SUCCESS;
 extract_string_vector_fail:
     for (int32_t i = 0; i < nstr; ++i)
         exr_attr_string_destroy ((exr_context_t) ctxt, clist + i);
     if (clist) ctxt->free_fn (clist);
+
     return rv;
 }
 
@@ -650,6 +655,7 @@ extract_attr_opaque (
     rv = check_bad_attrsz (ctxt, attrsz, 1, aname, tname, &n);
     if (rv != EXR_ERR_SUCCESS) return rv;
 
+    exr_attr_opaquedata_destroy ((exr_context_t) ctxt, attrdata);
     rv = exr_attr_opaquedata_init (
         (exr_context_t) ctxt, attrdata, (uint64_t) attrsz);
     if (rv != EXR_ERR_SUCCESS) return rv;
@@ -726,6 +732,7 @@ extract_attr_preview (
             sz[1]);
     }
 
+    exr_attr_preview_destroy ((exr_context_t) ctxt, attrdata);
     rv = exr_attr_preview_init ((exr_context_t) ctxt, attrdata, sz[0], sz[1]);
     if (rv != EXR_ERR_SUCCESS) return rv;
 
@@ -783,6 +790,7 @@ check_populate_channels (
         0,
         NULL,
         &(curpart->channels));
+
     if (rv != EXR_ERR_SUCCESS)
     {
         exr_attr_chlist_destroy ((exr_context_t) ctxt, &tmpchans);
@@ -793,6 +801,7 @@ check_populate_channels (
             EXR_REQ_CHANNELS_STR);
     }
 
+    exr_attr_chlist_destroy ((exr_context_t) ctxt, curpart->channels->chlist);
     *(curpart->channels->chlist) = tmpchans;
     return rv;
 }