Fix a couple of divide by zero crashes in PNG/TIFF predictors.

core/src/fxcodec/codec/fx_codec_flate.cpp

Index: core/src/fxcodec/codec/fx_codec_flate.cpp
diff --git a/core/src/fxcodec/codec/fx_codec_flate.cpp b/core/src/fxcodec/codec/fx_codec_flate.cpp
index 3e1aa367c8bebf248c8b496536310ebd36a89474..e4dab423cc4eba445bc968c4cf7c8f395804707d 100644
--- a/core/src/fxcodec/codec/fx_codec_flate.cpp
+++ b/core/src/fxcodec/codec/fx_codec_flate.cpp
@@ -233,6 +233,8 @@ static void PNG_PredictorEncode(FX_LPBYTE& data_buf, FX_DWORD& data_size, int pr
 {
     int BytesPerPixel = (Colors * BitsPerComponent + 7) / 8;
     int row_size = (Colors * BitsPerComponent * Columns + 7) / 8;
+    if (row_size == 0)

[Tom Sepez, 2015/05/04 15:23:12]

what happens after we take this path?  Do we continue with the decode using
uninitialized memory?  My concern is that this might disclose some memory
contents.  Maybe we need a bool return value for errors.

[Lei Zhang, 2015/05/04 23:19:36]

Done. I forgot that many parameters passed by reference are actually in-out
params. Best to just bail out on error.

+        return;
     int row_count = (data_size + row_size - 1) / row_size;
     int last_row_size = data_size % row_size;
     FX_LPBYTE dest_buf = FX_Alloc( FX_BYTE, (row_size + 1) * row_count);
@@ -558,6 +560,8 @@ static void TIFF_Predictor(FX_LPBYTE& data_buf, FX_DWORD& data_size,
                            int Colors, int BitsPerComponent, int Columns)
 {
     int row_size = (Colors * BitsPerComponent * Columns + 7) / 8;
+    if (row_size == 0)
+        return;
     int row_count = (data_size + row_size - 1) / row_size;
     int last_row_size = data_size % row_size;
     for (int row = 0; row < row_count; row ++) {