ffmpeg | branch: release/2.6 | Andreas Cadhalpun <andreas.cadhal...@googlemail.com> | Sun May 3 20:36:20 2015 +0200| [e6a5023d1f2f3ec5aaf8ae299cb7ca8dd006459b] | committer: Andreas Cadhalpun
pngdec: don't use AV_PIX_FMT_MONOBLACK for apng AV_PIX_FMT_MONOBLACK has the AV_PIX_FMT_FLAG_BITSTREAM flag, i.e. linesize can be smaller than width. Since x_offset is only check against the width, this can lead to x_offset * bpp >= image_linesize. In this case ptr could be set to a position outside the image_buf in png_handle_row, leading to memory corruption and thus crashes. Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> Signed-off-by: Michael Niedermayer <michae...@gmx.at> (cherry picked from commit 372aa0777aaacf726de7cd7dd0e6797026a124ee) Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e6a5023d1f2f3ec5aaf8ae299cb7ca8dd006459b --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 6f8ef7f..7200442 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -618,7 +618,7 @@ static int decode_idat_chunk(AVCodecContext *avctx, PNGDecContext *s, } else if ((s->bits_per_pixel == 1 || s->bits_per_pixel == 2 || s->bits_per_pixel == 4 || s->bits_per_pixel == 8) && s->color_type == PNG_COLOR_TYPE_PALETTE) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (s->bit_depth == 1 && s->bits_per_pixel == 1) { + } else if (s->bit_depth == 1 && s->bits_per_pixel == 1 && avctx->codec_id != AV_CODEC_ID_APNG) { avctx->pix_fmt = AV_PIX_FMT_MONOBLACK; } else if (s->bit_depth == 8 && s->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
