[FFmpeg-devel] [PATCH 1/2] avcodec/pngdec: Fix padded alloc code with threads
Michael Niedermayer
michaelni at gmx.at
Fri Aug 30 16:31:36 CEST 2013
Fixes Ticket2903
Fixes out of array write
no releases should be affected by this
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
---
libavcodec/pngdec.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 436e798..9305b32 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -62,6 +62,7 @@ typedef struct PNGDecContext {
uint8_t *last_row;
int last_row_size;
uint8_t *tmp_row;
+ unsigned int tmp_row_size;
uint8_t *buffer;
int buffer_size;
int pass;
@@ -331,6 +332,7 @@ static void png_handle_row(PNGDecContext *s)
png_filter_row(&s->dsp, s->tmp_row, s->crow_buf[0], s->crow_buf + 1,
s->last_row, s->pass_row_size, s->bpp);
FFSWAP(uint8_t*, s->last_row, s->tmp_row);
+ FFSWAP(unsigned int, s->last_row_size, s->tmp_row_size);
got_line = 1;
}
if ((png_pass_dsp_ymask[s->pass] << (s->y & 7)) & 0x80) {
@@ -674,7 +676,7 @@ static int decode_frame(AVCodecContext *avctx,
goto fail;
if (s->interlace_type ||
s->color_type == PNG_COLOR_TYPE_RGB_ALPHA) {
- s->tmp_row = av_malloc(s->row_size);
+ av_fast_padded_malloc(&s->tmp_row, &s->tmp_row_size, s->row_size);
if (!s->tmp_row)
goto fail;
}
@@ -864,7 +866,6 @@ static int decode_frame(AVCodecContext *avctx,
the_end:
inflateEnd(&s->zstream);
s->crow_buf = NULL;
- av_freep(&s->tmp_row);
return ret;
fail:
av_dict_free(&metadata);
@@ -918,6 +919,8 @@ static av_cold int png_dec_end(AVCodecContext *avctx)
s->buffer_size = 0;
av_freep(&s->last_row);
s->last_row_size = 0;
+ av_freep(&s->tmp_row);
+ s->tmp_row_size = 0;
return 0;
}
--
1.7.9.5
More information about the ffmpeg-devel
mailing list