From 3e8c01bef6a2dd4a1811347491627695075bca3a Mon Sep 17 00:00:00 2001 From: NRK Date: Sun, 31 Dec 2023 09:32:30 +0000 Subject: [PATCH] PNG saver: avoid double-free on write errors png_write_end may trigger a write error which sets off longjmp - which then goes ahead and tries to free `misc.data` again. move the png_write_end call before `quit` label to avoid this. to reproduce, build scrot and imlib2 with ASan and then try to save a screenshot to /dev/full (`scrot -o /dev/full`). --- src/modules/loaders/loader_png.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/modules/loaders/loader_png.c b/src/modules/loaders/loader_png.c index ac603d8..a291bc1 100644 --- a/src/modules/loaders/loader_png.c +++ b/src/modules/loaders/loader_png.c @@ -745,11 +745,12 @@ _save(ImlibImage * im) } } + png_write_end(png_ptr, info_ptr); + rc = LOAD_SUCCESS; quit: free(misc.data); - png_write_end(png_ptr, info_ptr); png_destroy_write_struct(&png_ptr, &info_ptr); return rc;