avcodec/pngdec: Fix padded alloc code with threads

Fixes Ticket2903
Fixes out of array write
no releases should be affected by this

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 5 insertions, 2 deletions

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index 436e7986b4..9305b3200d 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -62,6 +62,7 @@ typedef struct PNGDecContext {
     uint8_t *last_row;
     int last_row_size;
     uint8_t *tmp_row;
+    unsigned int tmp_row_size;
     uint8_t *buffer;
     int buffer_size;
     int pass;
@@ -331,6 +332,7 @@ static void png_handle_row(PNGDecContext *s)
                 png_filter_row(&s->dsp, s->tmp_row, s->crow_buf[0], s->crow_buf + 1,
                                s->last_row, s->pass_row_size, s->bpp);
                 FFSWAP(uint8_t*, s->last_row, s->tmp_row);
+                FFSWAP(unsigned int, s->last_row_size, s->tmp_row_size);
                 got_line = 1;
             }
             if ((png_pass_dsp_ymask[s->pass] << (s->y & 7)) & 0x80) {
@@ -674,7 +676,7 @@ static int decode_frame(AVCodecContext *avctx,
                     goto fail;
                 if (s->interlace_type ||
                     s->color_type == PNG_COLOR_TYPE_RGB_ALPHA) {
-                    s->tmp_row = av_malloc(s->row_size);
+                    av_fast_padded_malloc(&s->tmp_row, &s->tmp_row_size, s->row_size);
                     if (!s->tmp_row)
                         goto fail;
                 }
@@ -864,7 +866,6 @@ static int decode_frame(AVCodecContext *avctx,
  the_end:
     inflateEnd(&s->zstream);
     s->crow_buf = NULL;
-    av_freep(&s->tmp_row);
     return ret;
  fail:
     av_dict_free(&metadata);
@@ -918,6 +919,8 @@ static av_cold int png_dec_end(AVCodecContext *avctx)
     s->buffer_size = 0;
     av_freep(&s->last_row);
     s->last_row_size = 0;
+    av_freep(&s->tmp_row);
+    s->tmp_row_size = 0;
 
     return 0;
 }