diff options
| author | Derek Sollenberger <djsollen@google.com> | 2014-09-22 16:28:36 -0400 |
|---|---|---|
| committer | Derek Sollenberger <djsollen@google.com> | 2014-09-22 16:28:36 -0400 |
| commit | 8594e1a8521b2cbdd941719b929b15ba943b1d4a (patch) | |
| tree | 91739e32ae24c44c9c361e06e4edf43cd3dd5e8c | |
| parent | 7f21a7f1c312334ba3548100d6fbdb5679127026 (diff) | |
| download | libpng-android-5.0.0_r7.tar.gz | |
Incrementally increase the index size based on when the data structures are allocated.android-wear-5.0.0_r1android-l-preview_r2android-cts-5.0_r9android-cts-5.0_r8android-cts-5.0_r7android-cts-5.0_r6android-cts-5.0_r5android-cts-5.0_r4android-cts-5.0_r3android-5.1.1_r7android-5.1.0_r5android-5.1.0_r4android-5.1.0_r3android-5.1.0_r1android-5.0.2_r3android-5.0.2_r1android-5.0.1_r1android-5.0.0_r7android-5.0.0_r6android-5.0.0_r5.1android-5.0.0_r5android-5.0.0_r4android-5.0.0_r3android-5.0.0_r2android-5.0.0_r1lollipop-wear-releaselollipop-releaselollipop-mr1-devlollipop-devlollipop-cts-releasel-preview
This should prevent crashes when we attempt to cleanup the codec when an image
fails to properly decode in tiled mode.
bug: 17433945
Change-Id: I145269b25bd2cf820f5c9b4b00ac15d4278dfbd1
| -rw-r--r-- | pngread.c | 11 |
1 files changed, 8 insertions, 3 deletions
@@ -781,10 +781,10 @@ png_build_index(png_structp png_ptr) // has roughly the same size of index. // This way, we won't consume to much memory in recording index. index->step[p] = INDEX_SAMPLE_SIZE * (8 / number_rows_in_pass[p]); - index->size[p] = + const int temp_size = (png_ptr->height + index->step[p] - 1) / index->step[p]; index->pass_line_index[p] = - png_malloc(png_ptr, index->size[p] * sizeof(png_line_indexp)); + png_malloc(png_ptr, temp_size * sizeof(png_line_indexp)); // Get the row_byte_length seen by the filter. This value may be // different from the row_byte_length of a bitmap in the case of @@ -793,7 +793,7 @@ png_build_index(png_structp png_ptr) PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1; // Now, we record index for each indexing row. - for (i = 0; i < index->size[p]; i++) + for (i = 0; i < temp_size; i++) { png_line_indexp line_index = png_malloc(png_ptr, sizeof(png_line_index)); index->pass_line_index[p][i] = line_index; @@ -805,6 +805,11 @@ png_build_index(png_structp png_ptr) line_index->stream_idat_position = index->stream_idat_position; line_index->bytes_left_in_idat = png_ptr->idat_size + png_ptr->zstream.avail_in; + // increment the size now that we have the backing data structures. + // This prevents a crash in the event that png_read_row fails and + // we need to cleanup the partially constructed png_index_struct; + index->size[p] += 1; + // Skip the "step" number of rows to the next indexing row. for (j = 0; j < index->step[p] && i * index->step[p] + j < png_ptr->height; j++) |