PNG saver: avoid double-free on write errors

png_write_end may trigger a write error which sets off longjmp - which then goes ahead and tries to free `misc.data` again. move the png_write_end call before `quit` label to avoid this. to reproduce, build scrot and imlib2 with ASan and then try to save a screenshot to /dev/full (`scrot -o /dev/full`).
2023-12-31 09:32:30 +00:00 · 2023-12-31 09:32:30 +00:00 · 3e8c01bef6
parent 9ad4769e0a
commit 3e8c01bef6
1 changed files with 2 additions and 1 deletions
--- a/src/modules/loaders/loader_png.c
+++ b/src/modules/loaders/loader_png.c
@ -745,11 +745,12 @@ _save(ImlibImage * im)
          }
     }

+   png_write_end(png_ptr, info_ptr);
+
   rc = LOAD_SUCCESS;

 quit:
   free(misc.data);
-   png_write_end(png_ptr, info_ptr);
   png_destroy_write_struct(&png_ptr, &info_ptr);

   return rc;