diff options
| author | Derek Sollenberger <djsollen@google.com> | 2014-09-23 17:05:52 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2014-09-23 17:05:52 +0000 |
| commit | a4ba279116ea8ea396959c4b36b20786bcdc1b8a (patch) | |
| tree | 68fe9b6ba6d4b83f4a746358cc3cdf701cd70bef | |
| parent | bac37a6482291f52552e8d3666f3422c1bbc159b (diff) | |
| parent | 8594e1a8521b2cbdd941719b929b15ba943b1d4a (diff) | |
| download | libpng-a4ba279116ea8ea396959c4b36b20786bcdc1b8a.tar.gz | |
am 8594e1a8: Incrementally increase the index size based on when the data structures are allocated.
* commit '8594e1a8521b2cbdd941719b929b15ba943b1d4a':
Incrementally increase the index size based on when the data structures are allocated.
| -rw-r--r-- | pngread.c | 11 |
1 files changed, 8 insertions, 3 deletions
@@ -781,10 +781,10 @@ png_build_index(png_structp png_ptr) // has roughly the same size of index. // This way, we won't consume to much memory in recording index. index->step[p] = INDEX_SAMPLE_SIZE * (8 / number_rows_in_pass[p]); - index->size[p] = + const int temp_size = (png_ptr->height + index->step[p] - 1) / index->step[p]; index->pass_line_index[p] = - png_malloc(png_ptr, index->size[p] * sizeof(png_line_indexp)); + png_malloc(png_ptr, temp_size * sizeof(png_line_indexp)); // Get the row_byte_length seen by the filter. This value may be // different from the row_byte_length of a bitmap in the case of @@ -793,7 +793,7 @@ png_build_index(png_structp png_ptr) PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1; // Now, we record index for each indexing row. - for (i = 0; i < index->size[p]; i++) + for (i = 0; i < temp_size; i++) { png_line_indexp line_index = png_malloc(png_ptr, sizeof(png_line_index)); index->pass_line_index[p][i] = line_index; @@ -805,6 +805,11 @@ png_build_index(png_structp png_ptr) line_index->stream_idat_position = index->stream_idat_position; line_index->bytes_left_in_idat = png_ptr->idat_size + png_ptr->zstream.avail_in; + // increment the size now that we have the backing data structures. + // This prevents a crash in the event that png_read_row fails and + // we need to cleanup the partially constructed png_index_struct; + index->size[p] += 1; + // Skip the "step" number of rows to the next indexing row. for (j = 0; j < index->step[p] && i * index->step[p] + j < png_ptr->height; j++) |