pngdec: don't use AV_PIX_FMT_MONOBLACK for apng

AV_PIX_FMT_MONOBLACK has the AV_PIX_FMT_FLAG_BITSTREAM flag, i.e.
linesize can be smaller than width.

Since x_offset is only check against the width, this can lead to
x_offset * bpp >= image_linesize.

In this case ptr could be set to a position outside the image_buf in
png_handle_row, leading to memory corruption and thus crashes.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 372aa0777aaacf726de7cd7dd0e6797026a124ee)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

1 files changed, 1 insertions, 1 deletions

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 6f8ef7f7b5..7200442b99 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -618,7 +618,7 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s,
         } else if ((s->bits_per_pixel == 1 || s->bits_per_pixel == 2 || s->bits_per_pixel == 4 || s->bits_per_pixel == 8) &&
                 s->color_type == PNG_COLOR_TYPE_PALETTE) {
             avctx->pix_fmt = AV_PIX_FMT_PAL8;
-        } else if (s->bit_depth == 1 && s->bits_per_pixel == 1) {
+        } else if (s->bit_depth == 1 && s->bits_per_pixel == 1 && avctx->codec_id != AV_CODEC_ID_APNG) {
             avctx->pix_fmt = AV_PIX_FMT_MONOBLACK;
         } else if (s->bit_depth == 8 &&
                 s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) {