diff options
author | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-10-11 16:28:14 -0500 |
---|---|---|
committer | Glenn Randers-Pehrson <glennrp at users.sourceforge.net> | 2017-10-11 16:28:14 -0500 |
commit | 12384eae6fa138b528647cdf350b005509e95b6b (patch) | |
tree | d4a92fd70975608454a458b1af7201fd0fd43ff6 | |
parent | 357af1f095320c76f7c9d2bcf7de48dd809358e4 (diff) | |
download | libpng-12384eae6fa138b528647cdf350b005509e95b6b.tar.gz |
[libpng16] Relocate malloc of row_ptr after png_read_update_info() in fuzzer
-rw-r--r-- | contrib/oss-fuzz/libpng_read_fuzzer.cc | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/contrib/oss-fuzz/libpng_read_fuzzer.cc b/contrib/oss-fuzz/libpng_read_fuzzer.cc index 2b7270e62..bfce5bc98 100644 --- a/contrib/oss-fuzz/libpng_read_fuzzer.cc +++ b/contrib/oss-fuzz/libpng_read_fuzzer.cc @@ -136,9 +136,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { // Reading. png_read_info(png_handler.png_ptr, png_handler.info_ptr); - png_handler.row_ptr = png_malloc( - png_handler.png_ptr, png_get_rowbytes(png_handler.png_ptr, - png_handler.info_ptr)); // reset error handler to put png_deleter into scope. if (setjmp(png_jmpbuf(png_handler.png_ptr))) { @@ -174,6 +171,10 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { png_read_update_info(png_handler.png_ptr, png_handler.png_info_ptr); + png_handler.row_ptr = png_malloc( + png_handler.png_ptr, png_get_rowbytes(png_handler.png_ptr, + png_handler.info_ptr)); + for (int pass = 0; pass < passes; ++pass) { for (png_uint_32 y = 0; y < height; ++y) { png_read_row(png_handler.png_ptr, |