ffmpeg | branch: master | Andreas Cadhalpun <andreas.cadhal...@googlemail.com> | Sun May 3 20:36:20 2015 +0200| [372aa0777aaacf726de7cd7dd0e6797026a124ee] | committer: Michael Niedermayer
pngdec: don't use AV_PIX_FMT_MONOBLACK for apng AV_PIX_FMT_MONOBLACK has the AV_PIX_FMT_FLAG_BITSTREAM flag, i.e. linesize can be smaller than width. Since x_offset is only check against the width, this can lead to x_offset * bpp >= image_linesize. In this case ptr could be set to a position outside the image_buf in png_handle_row, leading to memory corruption and thus crashes. Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> Signed-off-by: Michael Niedermayer <michae...@gmx.at> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=372aa0777aaacf726de7cd7dd0e6797026a124ee --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 324f4e6..1f8a77b 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -618,7 +618,7 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, } else if ((s->bits_per_pixel == 1 || s->bits_per_pixel == 2 || s->bits_per_pixel == 4 || s->bits_per_pixel == 8) && s->color_type == PNG_COLOR_TYPE_PALETTE) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (s->bit_depth == 1 && s->bits_per_pixel == 1) { + } else if (s->bit_depth == 1 && s->bits_per_pixel == 1 && avctx->codec_id != AV_CODEC_ID_APNG) { avctx->pix_fmt = AV_PIX_FMT_MONOBLACK; } else if (s->bit_depth == 8 && s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
