[lcms] Fix context leak on error path in cms_postscript_fuzzer #15074
Description
Summary
This is not a bug in lcms. It is a bug in cms_postscript_fuzzer where cmsDeleteContext is not called when cmsOpenProfileFromMem fails.
Bug Details (P1: Harness Logic)
cmsContext context = cmsCreateContext(NULL, (void *)data); // line 22
if (!context) return 0;
cmsHPROFILE hProfile = cmsOpenProfileFromMem(data, size);
if (!hProfile){
return 0; // ← BUG: context leaked
}
// ... normal path correctly calls cmsDeleteContext(context)Impact
Since most random fuzz inputs are not valid ICC profiles, cmsOpenProfileFromMem fails on the majority of iterations. This makes the context leak high-frequency — contexts accumulate rapidly in lcms2's global linked list, causing unbounded memory growth and performance degradation.
Suggested Fix
if (!hProfile){
+ cmsDeleteContext(context);
return 0;
}Coverage Comparison
| Version | Lines | Functions |
|---|---|---|
| Original | 27.00% | 39.06% |
| Fixed | 27.00% | 39.06% |
Coverage unchanged — fix does not regress fuzzer effectiveness.