This fixes a stack buffer overflow.
Signed-off-by: Andreas Cadhalpun <andreas.cadhal...@googlemail.com>
---
libavcodec/pngdec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 689aa2b..c974654 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -1010,13 +1010,13 @@ static int handle_p_frame_apng(AVCodecContext *avctx,
PNGDecContext *s,
memcpy(buffer + row_start, p->data[0] + row_start, s->bpp *
s->cur_w);
}
} else { // APNG_BLEND_OP_OVER
+ uint8_t *output = av_malloc(s->bpp);
for (y = s->y_offset; y < s->y_offset + s->cur_h; ++y) {
uint8_t *foreground = p->data[0] + s->image_linesize * y + s->bpp
* s->x_offset;
uint8_t *background = buffer + s->image_linesize * y + s->bpp *
s->x_offset;
for (x = s->x_offset; x < s->x_offset + s->cur_w; ++x, foreground
+= s->bpp, background += s->bpp) {
size_t b;
uint8_t foreground_alpha, background_alpha, output_alpha;
- uint8_t output[4];
// Since we might be blending alpha onto alpha, we use the
following equations:
// output_alpha = foreground_alpha + (1 - foreground_alpha) *
background_alpha
@@ -1069,6 +1069,7 @@ static int handle_p_frame_apng(AVCodecContext *avctx,
PNGDecContext *s,
memcpy(background, output, s->bpp);
}
}
+ av_freep(&output);
}
// Copy blended buffer into the frame and free
--
2.6.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
