Memory leak in png2pnm.c : png2pnm while processing corrupted PNG image file

[chintanhshah]

In libpng version 1.6.37 , there is a memory leak in png2pnm.c while processing the corrupted PNG image

libpng error: PNG unsigned integer out of range
PNG2PNM
Error: unsuccessful conversion of PNG-image

=================================================================
==17967==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 256 byte(s) in 1 object(s) allocated from:
#0 0x4bac13 in malloc /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x4e9ea8 in png2pnm /opt/libpng-1.6.37/contrib/pngminus/png2pnm.c:307:8
#2 0x4e86cc in main /opt/libpng-1.6.37/contrib/pngminus/png2pnm.c:122:7
#3 0x7fa0d8dff83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)

Indirect leak of 4096 byte(s) in 1 object(s) allocated from:
#0 0x4bac13 in malloc /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x4e9e8b in png2pnm /opt/libpng-1.6.37/contrib/pngminus/png2pnm.c:300:8
#2 0x4e86cc in main /opt/libpng-1.6.37/contrib/pngminus/png2pnm.c:122:7
#3 0x7fa0d8dff83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: 4352 byte(s) leaked in 2 allocation(s).

Memory is allocated in the code below in png2pnm.c:307

*if ((row_pointers = (png_byte )
malloc ((size_t) height * sizeof (png_byte ))) == NULL)
{
png_destroy_read_struct (&png_ptr, &info_ptr, NULL);
free (png_pixels);
return FALSE;
}

Perhaps while processing the corrupted PNG image , it is not able to conver into PNM file and does not free the memory before exiting :

if (png2pnm (fp_rd, fp_wr, fp_al, raw, alpha) == FALSE)
{
fprintf (stderr, "PNG2PNM\n");
fprintf (stderr, "Error: unsuccessful conversion of PNG-image\n");
exit (1);
}

POC file attached:

[chintanhshah]

POC file in a zip attached with the corrected CRC.
poc.zip

[jbowler]

There is no memory leak here, the program has exited with a fatal error (and this is the correct behavior).