commit 6b38063822f28d9a46df5e5701d585d387e03f0e
author Henrik Smiding <henrik.smiding@intel.com> Tue Feb 17 17:56:24 2015 +0100
committer Narayan Kamath <narayan@google.com> Thu Mar 19 07:43:54 2015 +0000
tree cfc053e306d843807c8eddf2bcf953ed8f36ab38
parent 41cf547a0df093f466c50db021250ac5f3fa6881

Fix buffer overwrite in png_build_index

Fixes buffer size calculations to take possible transformations
into account. Images with less than 256 colors in the palette,
that are transformed up to 8-bit, will not overwrite memory at
the end of the buffer. Verified with a 16 color image.
Also fixes some build warnings.

bug: 19507636

Signed-off-by: Henrik Smiding <henrik.smiding@intel.com>

(cherry picked from commit d3ff9df7a1191da1c47710ea8bd568204e74a976)

Change-Id: Ifd935c67d51a69969862d32799f81d58d8b7bfc9

pngread.c

diff --git a/pngread.c b/pngread.c
index cc213b8..6ba7ddc 100644
--- a/pngread.c
+++ b/pngread.c
@@ -1000,7 +1000,8 @@
       number_rows_in_pass[0] = 8;
    }
 
-   rp = png_malloc(png_ptr, png_ptr->rowbytes);
+   // Allocate a buffer big enough for any transform.
+   rp = png_malloc(png_ptr, PNG_ROWBYTES(png_ptr->maximum_pixel_depth, png_ptr->width));
 
    png_indexp index = png_malloc(png_ptr, sizeof(png_index));
    png_ptr->index = index;
@@ -1018,7 +1019,7 @@
       // has roughly the same size of index.
       // This way, we won't consume to much memory in recording index.
       index->step[p] = INDEX_SAMPLE_SIZE * (8 / number_rows_in_pass[p]);
-      const int temp_size =
+      const png_uint_32 temp_size =
          (png_ptr->height + index->step[p] - 1) / index->step[p];
       index->pass_line_index[p] =
          png_malloc(png_ptr, temp_size * sizeof(png_line_indexp));