diff options
| author | Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> | 2015-05-03 20:36:20 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2015-05-03 21:50:09 +0200 |
| commit | 372aa0777aaacf726de7cd7dd0e6797026a124ee (patch) | |
| tree | c52054e140138be54be5a5418d9ed0b9e38a6435 /libavcodec | |
| parent | 8f760be4d312bb6e78f80d39b9d0062253332e08 (diff) | |
| download | ffmpeg-372aa0777aaacf726de7cd7dd0e6797026a124ee.tar.gz | |
pngdec: don't use AV_PIX_FMT_MONOBLACK for apng
AV_PIX_FMT_MONOBLACK has the AV_PIX_FMT_FLAG_BITSTREAM flag, i.e.
linesize can be smaller than width.
Since x_offset is only check against the width, this can lead to
x_offset * bpp >= image_linesize.
In this case ptr could be set to a position outside the image_buf in
png_handle_row, leading to memory corruption and thus crashes.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/pngdec.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 324f4e6ab7..1f8a77b37b 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -618,7 +618,7 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, } else if ((s->bits_per_pixel == 1 || s->bits_per_pixel == 2 || s->bits_per_pixel == 4 || s->bits_per_pixel == 8) && s->color_type == PNG_COLOR_TYPE_PALETTE) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (s->bit_depth == 1 && s->bits_per_pixel == 1) { + } else if (s->bit_depth == 1 && s->bits_per_pixel == 1 && avctx->codec_id != AV_CODEC_ID_APNG) { avctx->pix_fmt = AV_PIX_FMT_MONOBLACK; } else if (s->bit_depth == 8 && s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { |