Substantial memory leak in canon cr3 decoder

In canon_cr3_decoder.cc there is a memory leak in crxFreeImageData:

  if (img->tiles)
  {
    for (int32_t curTile = 0; curTile < nTiles; curTile++, tile++)
      if (tile[curTile].comps)
        for (int32_t curPlane = 0; curPlane < img->nPlanes; curPlane++)
          crxFreeSubbandData(img, tile[curTile].comps + curPlane);
    free(img->tiles);
    img->tiles = 0;
  }

as you can see both tile and curTile are incremented, skipping every other tile and also addressing beyond the tile[] array.

This happens for every canon cr3 file in the thumbnail viewer and the editor.

With the following change:

  if (img->tiles)
  {
    for (int32_t curTile = 0; curTile < nTiles; curTile++)
      if (tile[curTile].comps)
        for (int32_t curPlane = 0; curPlane < img->nPlanes; curPlane++)
          crxFreeSubbandData(img, tile[curTile].comps + curPlane);
    free(img->tiles);
    img->tiles = 0;
  }

‌

when compiling with -DWITH_SAN=leak I no longer get the complains about the memory leaks.

This same leak is also present in the current libraw and rawtherapee implementations of the cr3 raw decoder.

Other memory leaks seem mostly harmless.

Comments (2)