diff options
| author | Henrik Smiding <henrik.smiding@intel.com> | 2015-02-17 17:56:24 +0100 |
|---|---|---|
| committer | Narayan Kamath <narayan@google.com> | 2015-02-25 14:46:54 +0000 |
| commit | d3ff9df7a1191da1c47710ea8bd568204e74a976 (patch) | |
| tree | 3848227ee25ab031f99c194533e13586c6e997cd | |
| parent | 31f957bd40b2fd7ce44c5f83be20bc5f39ff9838 (diff) | |
| download | libpng-d3ff9df7a1191da1c47710ea8bd568204e74a976.tar.gz | |
Fix buffer overwrite in png_build_index
Fixes buffer size calculations to take possible transformations
into account. Images with less than 256 colors in the palette,
that are transformed up to 8-bit, will not overwrite memory at
the end of the buffer. Verified with a 16 color image.
Also fixes some build warnings.
Change-Id: Ib7b256ffe7816148bfd39114ab7036dcf2218023
Signed-off-by: Henrik Smiding <henrik.smiding@intel.com>
| -rw-r--r-- | pngread.c | 5 |
1 files changed, 3 insertions, 2 deletions
@@ -763,7 +763,8 @@ png_build_index(png_structp png_ptr) number_rows_in_pass[0] = 8; } - rp = png_malloc(png_ptr, png_ptr->rowbytes); + // Allocate a buffer big enough for any transform. + rp = png_malloc(png_ptr, PNG_ROWBYTES(png_ptr->maximum_pixel_depth, png_ptr->width)); png_indexp index = png_malloc(png_ptr, sizeof(png_index)); png_ptr->index = index; @@ -781,7 +782,7 @@ png_build_index(png_structp png_ptr) // has roughly the same size of index. // This way, we won't consume to much memory in recording index. index->step[p] = INDEX_SAMPLE_SIZE * (8 / number_rows_in_pass[p]); - const int temp_size = + const png_uint_32 temp_size = (png_ptr->height + index->step[p] - 1) / index->step[p]; index->pass_line_index[p] = png_malloc(png_ptr, temp_size * sizeof(png_line_indexp)); |