diff options
| author | Martijn Kaijser <martijn@xbmc.org> | 2016-02-19 23:16:26 +0100 |
|---|---|---|
| committer | Martijn Kaijser <martijn@xbmc.org> | 2016-02-19 23:16:26 +0100 |
| commit | f055898560a8e36184c68b49a801999025304a8c (patch) | |
| tree | 11ac833c33fb93b0491acc588e2141344acb4f87 | |
| parent | 4072a0de9784756f2f449c9029617ce7e8a65e3c (diff) | |
| parent | 04b01df54674c14782d4572635e88ea4a39c54f2 (diff) | |
Merge pull request #9153 from ace20022/JarvisPNG
[Fix][cximage] Fix read after free crashes
| -rw-r--r-- | lib/cximage-6.0/CxImage/ximamng.cpp | 2 | ||||
| -rw-r--r-- | lib/cximage-6.0/CxImage/ximapng.cpp | 3 | ||||
| -rw-r--r-- | lib/cximage-6.0/mng/libmng_hlapi.c | 2 |
3 files changed, 7 insertions, 0 deletions
diff --git a/lib/cximage-6.0/CxImage/ximamng.cpp b/lib/cximage-6.0/CxImage/ximamng.cpp index 865c49003c..9a77abfb07 100644 --- a/lib/cximage-6.0/CxImage/ximamng.cpp +++ b/lib/cximage-6.0/CxImage/ximamng.cpp @@ -253,6 +253,8 @@ bool CxImageMNG::Decode(CxFile *hFile) // read all while(pData->bReading){ retval = mng_display_resume(hmng); + if (retval != MNG_NEEDTIMERWAIT) + break; info.nNumFrames++; } diff --git a/lib/cximage-6.0/CxImage/ximapng.cpp b/lib/cximage-6.0/CxImage/ximapng.cpp index adadeea26d..a58441c37e 100644 --- a/lib/cximage-6.0/CxImage/ximapng.cpp +++ b/lib/cximage-6.0/CxImage/ximapng.cpp @@ -73,6 +73,7 @@ bool CxImagePNG::Decode(CxFile *hFile) #endif /* Free all of the memory associated with the png_ptr and info_ptr */ delete [] row_pointers; + row_pointers = nullptr; png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp)NULL); cx_throw(""); } @@ -467,6 +468,7 @@ bool CxImagePNG::Decode(CxFile *hFile) } delete [] row_pointers; + row_pointers = nullptr; /* read the rest of the file, getting any additional chunks in info_ptr */ png_read_end(png_ptr, info_ptr); @@ -788,6 +790,7 @@ bool CxImagePNG::Encode(CxFile *hFile) } delete [] row_pointers; + row_pointers = nullptr; //if necessary, restore the original palette if (!bGrayScale && head.biClrUsed && info.nBkgndIndex>0) diff --git a/lib/cximage-6.0/mng/libmng_hlapi.c b/lib/cximage-6.0/mng/libmng_hlapi.c index 36997617d5..19fd770d7d 100644 --- a/lib/cximage-6.0/mng/libmng_hlapi.c +++ b/lib/cximage-6.0/mng/libmng_hlapi.c @@ -2434,6 +2434,8 @@ mng_retcode MNG_DECL mng_display_resume (mng_handle hHandle) pData->bSuspended = MNG_FALSE; /* now reset this flag */ /* and continue reading */ iRetcode = mng_read_graphic (pData); + if (iRetcode) + return iRetcode; if (pData->bEOF) /* already at EOF ? */ { |