Revert "Fix buffer overwrite in png_build_index" DO NOT MERGE

This reverts commit 6b38063822f28d9a46df5e5701d585d387e03f0e. This change is broken for kitkat (based on libpng 1.2.x) but valid on lmp-dev (based on libpng 1.6.x) and later. bug: 19507636
author: Narayan Kamath <narayan@google.com> 2015-04-03 14:35:24 +0100
committer: Narayan Kamath <narayan@google.com> 2015-04-03 14:35:24 +0100
commit: 481d5259a7f4368fabb385594c4b030ce1e6cf5f (patch)
tree: fdfbd746e8b480cd20172d85b17ada21f201ef46
parent: 6b38063822f28d9a46df5e5701d585d387e03f0e (diff)
download: libpng-481d5259a7f4368fabb385594c4b030ce1e6cf5f.tar.gz
1 files changed, 2 insertions, 3 deletions
diff --git a/pngread.c b/pngread.c
index 6ba7ddc6e..cc213b8d7 100644
--- a/pngread.c
+++ b/pngread.c
@@ -1000,8 +1000,7 @@ png_build_index(png_structp png_ptr)
       number_rows_in_pass[0] = 8;
    }
 
-   // Allocate a buffer big enough for any transform.
-   rp = png_malloc(png_ptr, PNG_ROWBYTES(png_ptr->maximum_pixel_depth, png_ptr->width));
+   rp = png_malloc(png_ptr, png_ptr->rowbytes);
 
    png_indexp index = png_malloc(png_ptr, sizeof(png_index));
    png_ptr->index = index;
@@ -1019,7 +1018,7 @@ png_build_index(png_structp png_ptr)
       // has roughly the same size of index.
       // This way, we won't consume to much memory in recording index.
       index->step[p] = INDEX_SAMPLE_SIZE * (8 / number_rows_in_pass[p]);
-      const png_uint_32 temp_size =
+      const int temp_size =
          (png_ptr->height + index->step[p] - 1) / index->step[p];
       index->pass_line_index[p] =
          png_malloc(png_ptr, temp_size * sizeof(png_line_indexp));
author	Narayan Kamath <narayan@google.com>	2015-04-03 14:35:24 +0100
committer	Narayan Kamath <narayan@google.com>	2015-04-03 14:35:24 +0100
commit	481d5259a7f4368fabb385594c4b030ce1e6cf5f (patch)
tree	fdfbd746e8b480cd20172d85b17ada21f201ef46
parent	6b38063822f28d9a46df5e5701d585d387e03f0e (diff)
download	libpng-481d5259a7f4368fabb385594c4b030ce1e6cf5f.tar.gz