diff options
author | Narayan Kamath <narayan@google.com> | 2015-04-03 14:35:24 +0100 |
---|---|---|
committer | Narayan Kamath <narayan@google.com> | 2015-04-03 14:35:24 +0100 |
commit | 481d5259a7f4368fabb385594c4b030ce1e6cf5f (patch) | |
tree | fdfbd746e8b480cd20172d85b17ada21f201ef46 | |
parent | 6b38063822f28d9a46df5e5701d585d387e03f0e (diff) | |
download | libpng-481d5259a7f4368fabb385594c4b030ce1e6cf5f.tar.gz |
Revert "Fix buffer overwrite in png_build_index" DO NOT MERGE
This reverts commit 6b38063822f28d9a46df5e5701d585d387e03f0e.
This change is broken for kitkat (based on libpng 1.2.x) but valid
on lmp-dev (based on libpng 1.6.x) and later.
bug: 19507636
-rw-r--r-- | pngread.c | 5 |
1 files changed, 2 insertions, 3 deletions
@@ -1000,8 +1000,7 @@ png_build_index(png_structp png_ptr) number_rows_in_pass[0] = 8; } - // Allocate a buffer big enough for any transform. - rp = png_malloc(png_ptr, PNG_ROWBYTES(png_ptr->maximum_pixel_depth, png_ptr->width)); + rp = png_malloc(png_ptr, png_ptr->rowbytes); png_indexp index = png_malloc(png_ptr, sizeof(png_index)); png_ptr->index = index; @@ -1019,7 +1018,7 @@ png_build_index(png_structp png_ptr) // has roughly the same size of index. // This way, we won't consume to much memory in recording index. index->step[p] = INDEX_SAMPLE_SIZE * (8 / number_rows_in_pass[p]); - const png_uint_32 temp_size = + const int temp_size = (png_ptr->height + index->step[p] - 1) / index->step[p]; index->pass_line_index[p] = png_malloc(png_ptr, temp_size * sizeof(png_line_indexp)); |