wrapper/FFmpeg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

pictordec: break out of both decoding loops when y drops below 0

Browse source 
Otherwise picmemset can get called with negative y, resulting in an
invalid write.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5f7aecde02)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
This commit is contained in:
Anton Khirnov 2013-08-24 21:30:46 +02:00 committed by Sean McGovern
parent c225c620c6
commit 5773065a71
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
libavcodec/pictordec.c
View file

@ -226,7 +226,7 @@ static int decode_frame(AVCodecContext *avctx,
if (bits_per_plane == 8) {
picmemset_8bpp(s, val, run, &x, &y);
if (y < 0)
break;
goto finish;
} else {
picmemset(s, val, run, &x, &y, &plane, bits_per_plane);
}
@ -236,6 +236,7 @@ static int decode_frame(AVCodecContext *avctx,
av_log_ask_for_sample(s, "uncompressed image\n");
return avpkt->size;
}
finish:
*data_size = sizeof(AVFrame);
*(AVFrame*)data = s->frame;