From 41cf547a0df093f466c50db021250ac5f3fa6881 Mon Sep 17 00:00:00 2001
From: Derek Sollenberger <djsollen@google.com>
Date: Mon, 22 Sep 2014 16:28:36 -0400
Subject: Incrementally increase the index size based on when the data
 structures are allocated.

This should prevent crashes when we attempt to cleanup the codec when an image
fails to properly decode in tiled mode.

bug: 17433945
bug: 19507636

(cherry picked from commit 8594e1a8521b2cbdd941719b929b15ba943b1d4a)

Change-Id: I1b0c36905052294f28ebbf782bd93786f1c942c8
---
 pngread.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/pngread.c b/pngread.c
index b301d41..cc213b8 100644
--- a/pngread.c
+++ b/pngread.c
@@ -1018,10 +1018,10 @@ png_build_index(png_structp png_ptr)
       // has roughly the same size of index.
       // This way, we won't consume to much memory in recording index.
       index->step[p] = INDEX_SAMPLE_SIZE * (8 / number_rows_in_pass[p]);
-      index->size[p] =
+      const int temp_size =
          (png_ptr->height + index->step[p] - 1) / index->step[p];
       index->pass_line_index[p] =
-         png_malloc(png_ptr, index->size[p] * sizeof(png_line_indexp));
+         png_malloc(png_ptr, temp_size * sizeof(png_line_indexp));
 
       // Get the row_byte_length seen by the filter. This value may be
       // different from the row_byte_length of a bitmap in the case of
@@ -1030,7 +1030,7 @@ png_build_index(png_structp png_ptr)
          PNG_ROWBYTES(png_ptr->pixel_depth, png_ptr->iwidth) + 1;
 
       // Now, we record index for each indexing row.
-      for (i = 0; i < index->size[p]; i++)
+      for (i = 0; i < temp_size; i++)
       {
          png_line_indexp line_index = png_malloc(png_ptr, sizeof(png_line_index));
          index->pass_line_index[p][i] = line_index;
@@ -1043,6 +1043,11 @@ png_build_index(png_structp png_ptr)
          line_index->stream_idat_position = index->stream_idat_position;
          line_index->bytes_left_in_idat = png_ptr->idat_size + png_ptr->zstream.avail_in;
 
+         // increment the size now that we have the backing data structures.
+         // This prevents a crash in the event that png_read_row fails and
+         // we need to cleanup the partially constructed png_index_struct;
+         index->size[p] += 1;
+
          // Skip the "step" number of rows to the next indexing row.
          for (j = 0; j < index->step[p] &&
                i * index->step[p] + j < png_ptr->height; j++)
-- 
cgit v1.2.3