Merge "Fix buffer overwrite in png_build_index"

author: Narayan Kamath <narayan@google.com> 2015-02-25 14:52:40 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> 2015-02-25 14:52:40 +0000
commit: 2c5449771bc66dd1aa4f00ae9e36fca1134ac148 (patch)
tree: 3848227ee25ab031f99c194533e13586c6e997cd
parent: 31f957bd40b2fd7ce44c5f83be20bc5f39ff9838 (diff)
parent: d3ff9df7a1191da1c47710ea8bd568204e74a976 (diff)
download: libpng-2c5449771bc66dd1aa4f00ae9e36fca1134ac148.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/pngread.c b/pngread.c
index 752eac005..2ce83edc0 100644
--- a/pngread.c
+++ b/pngread.c
@@ -763,7 +763,8 @@ png_build_index(png_structp png_ptr)
       number_rows_in_pass[0] = 8;
    }
 
-   rp = png_malloc(png_ptr, png_ptr->rowbytes);
+   // Allocate a buffer big enough for any transform.
+   rp = png_malloc(png_ptr, PNG_ROWBYTES(png_ptr->maximum_pixel_depth, png_ptr->width));
 
    png_indexp index = png_malloc(png_ptr, sizeof(png_index));
    png_ptr->index = index;
@@ -781,7 +782,7 @@ png_build_index(png_structp png_ptr)
       // has roughly the same size of index.
       // This way, we won't consume to much memory in recording index.
       index->step[p] = INDEX_SAMPLE_SIZE * (8 / number_rows_in_pass[p]);
-      const int temp_size =
+      const png_uint_32 temp_size =
          (png_ptr->height + index->step[p] - 1) / index->step[p];
       index->pass_line_index[p] =
          png_malloc(png_ptr, temp_size * sizeof(png_line_indexp));
author	Narayan Kamath <narayan@google.com>	2015-02-25 14:52:40 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	2015-02-25 14:52:40 +0000
commit	2c5449771bc66dd1aa4f00ae9e36fca1134ac148 (patch)
tree	3848227ee25ab031f99c194533e13586c6e997cd
parent	31f957bd40b2fd7ce44c5f83be20bc5f39ff9838 (diff)
parent	d3ff9df7a1191da1c47710ea8bd568204e74a976 (diff)
download	libpng-2c5449771bc66dd1aa4f00ae9e36fca1134ac148.tar.gz