You need to log in before you can comment on or make changes to this bug.
In tif_ojpeg.c, in OJPEGReadHeaderInfoSecTablesDcTable, we have rb=_TIFFmalloc(ra). After, values for rb are filled out. Then there is an if (p!=q) return 0, which goes before the line sp->dctable[m]=rb; Therefore, clearly rb is leaking every time the if (p!=q) is entered, since memory is allocated but it is not even assigned anywhere. Our fix: https://pdfium-review.googlesource.com/c/2176/
Patch applied per 2017-01-12 Even Rouault <even.rouault at spatialys.com> * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable when read fails. Patch by Nicolás Peña. Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659 /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog new revision: 1.1212; previous revision: 1.1211 /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c new revision: 1.67; previous revision: 1.66
(In reply to comment #1) > Patch applied per > > 2017-01-12 Even Rouault <even.rouault at spatialys.com> > > * libtiff/tif_ojpeg.c: fix leak in OJPEGReadHeaderInfoSecTablesAcTable > when read fails. > Patch by Nicolás Peña. > Fixes http://bugzilla.maptools.org/show_bug.cgi?id=2659 > > /cvs/maptools/cvsroot/libtiff/ChangeLog,v <-- ChangeLog > new revision: 1.1212; previous revision: 1.1211 > /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c > new revision: 1.67; previous revision: 1.66 I added to my patch fixes to similar leaks in other methods in the same file.
Additional fixes pushed in /cvs/maptools/cvsroot/libtiff/libtiff/tif_ojpeg.c,v <-- libtiff/tif_ojpeg.c new revision: 1.68; previous revision: 1.67
this is CVE-2017-7594