Skip to content

fix(ico,png): avoid leaking error string across png_chunk_error longjmp#5289

Open
lgritz wants to merge 1 commit into
AcademySoftwareFoundation:mainfrom
lgritz:lg-pngerr
Open

fix(ico,png): avoid leaking error string across png_chunk_error longjmp#5289
lgritz wants to merge 1 commit into
AcademySoftwareFoundation:mainfrom
lgritz:lg-pngerr

Conversation

@lgritz

@lgritz lgritz commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

PngReadCallback passed input->geterror(false).c_str() to png_chunk_error() when a PNG read failed. png_chunk_error() does not return -- it longjmp's back to libpng's setjmp point, which skips C++ destructors, so the temporary std::string returned by geterror() was never freed. The fuzzer surfaced this as a small, intermittent leak (a few KB across hundreds of thousands of runs).

Copy the message into a plain stack buffer (no destructor) before calling png_chunk_error, so nothing heap-allocated is alive across the longjmp.

Assisted-by: Claude Code / Claude Opus 4.8

PngReadCallback passed icoinput->geterror(false).c_str() to
png_chunk_error() when a PNG read failed. png_chunk_error() does not
return -- it longjmps back to libpng's setjmp point, which skips C++
destructors, so the temporary std::string returned by geterror() was
never freed. The fuzzer surfaced this as a small, intermittent leak (a
few KB across hundreds of thousands of runs).

Copy the message into a plain stack buffer (no destructor) before calling
png_chunk_error, so nothing heap-allocated is alive across the longjmp.

Assisted-by: Claude Code / Claude Opus 4.8

Signed-off-by: Larry Gritz <lg@larrygritz.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant