avcodec/pngdec: Fix padded alloc code with threads

Fixes Ticket2903 Fixes out of array write no releases should be affected by this Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2013-08-30 16:06:05 +02:00 · 2013-08-30 16:06:05 +02:00 · 7b47d7f75e
parent d814a839ac
commit 7b47d7f75e
1 changed files with 5 additions and 2 deletions
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@ -62,6 +62,7 @@ typedef struct PNGDecContext {
    uint8_t *last_row;
    int last_row_size;
    uint8_t *tmp_row;
+    unsigned int tmp_row_size;
    uint8_t *buffer;
    int buffer_size;
    int pass;
@ -331,6 +332,7 @@ static void png_handle_row(PNGDecContext *s)
                png_filter_row(&s->dsp, s->tmp_row, s->crow_buf[0], s->crow_buf + 1,
                               s->last_row, s->pass_row_size, s->bpp);
                FFSWAP(uint8_t*, s->last_row, s->tmp_row);
+                FFSWAP(unsigned int, s->last_row_size, s->tmp_row_size);
                got_line = 1;
            }
            if ((png_pass_dsp_ymask[s->pass] << (s->y & 7)) & 0x80) {
@ -674,7 +676,7 @@ static int decode_frame(AVCodecContext *avctx,
                    goto fail;
                if (s->interlace_type ||
                    s->color_type == PNG_COLOR_TYPE_RGB_ALPHA) {
-                    s->tmp_row = av_malloc(s->row_size);
+                    av_fast_padded_malloc(&s->tmp_row, &s->tmp_row_size, s->row_size);
                    if (!s->tmp_row)
                        goto fail;
                }
@ -864,7 +866,6 @@ static int decode_frame(AVCodecContext *avctx,
 the_end:
    inflateEnd(&s->zstream);
    s->crow_buf = NULL;
-    av_freep(&s->tmp_row);
    return ret;
 fail:
    av_dict_free(&metadata);
@ -918,6 +919,8 @@ static av_cold int png_dec_end(AVCodecContext *avctx)
    s->buffer_size = 0;
    av_freep(&s->last_row);
    s->last_row_size = 0;
+    av_freep(&s->tmp_row);
+    s->tmp_row_size = 0;

    return 0;
 }