kern/46518: stbi splash: compressed PNG file causes panic

[nathanialsloss%yahoo.com.au@localhost]

>Number:         46518
>Category:       kern
>Synopsis:       stbi splash: compressed PNG file causes panic
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jun 02 14:20:00 +0000 2012
>Originator:     Nat Sloss
>Release:        NetBSD Current 6.99.6
>Organization:
>Environment:
NetBSD beast 6.99.6 NetBSD 6.99.6 (LOCKDEBUG) #54: Sat Jun  2 17:32:26 EST 2012 
 build@beast:/usr/src/sys/arch/i386/compile/obj/LOCKDEBUG i386

>Description:
When booting with a splash screen picture that is a compressed PNG picture the 
kernel crashes.
>How-To-Repeat:
Create a compressed PNG image:
bmptopnm splash.bmp| pnmtopng - -compression 9 > /splash.png

Then boot with it:

vesa 800x600x16
splash splash.png
boot

>Fix:
The problem stems from the fact that one of the pointers is NULL and it is then 
freed so to fix it I applied this patch:

===================================================================
RCS file: /cvsroot/src/sys/dev/stbi/stb_image.c,v
retrieving revision 1.2
diff -u -r1.2 stb_image.c
--- sys/dev/stbi/stb_image.c    20 Jan 2012 23:13:47 -0000      1.2
+++ sys/dev/stbi/stb_image.c    2 Jun 2012 14:18:05 -0000
@@ -3050,9 +3050,12 @@
       *y = p->s.img_y;
       if (n) *n = p->s.img_n;
    }
-   FREE(p->out);      p->out      = NULL;
-   FREE(p->expanded); p->expanded = NULL;
-   FREE(p->idata);    p->idata    = NULL;
+   if (p->out != NULL)
+       FREE(p->out);      p->out      = NULL;
+   if (p->expanded != NULL)
+       FREE(p->expanded); p->expanded = NULL;
+   if (p->idata != NULL)
+       FREE(p->idata);    p->idata    = NULL;

    return result;
 }


Note: This patch is my own work which I submit under the NetBSD license.

Regards,

Nat.