From 5773065a71055b5000717fab68e79647eea3dd6d Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Sat, 24 Aug 2013 21:30:46 +0200
Subject: [PATCH] pictordec: break out of both decoding loops when y drops
 below 0

Otherwise picmemset can get called with negative y, resulting in an
invalid write.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5f7aecde02a95451e514c809f2794c1deba80695)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavcodec/pictordec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c
index e0bc899946..88add167cf 100644
--- a/libavcodec/pictordec.c
+++ b/libavcodec/pictordec.c
@@ -226,7 +226,7 @@ static int decode_frame(AVCodecContext *avctx,
                 if (bits_per_plane == 8) {
                     picmemset_8bpp(s, val, run, &x, &y);
                     if (y < 0)
-                        break;
+                        goto finish;
                 } else {
                     picmemset(s, val, run, &x, &y, &plane, bits_per_plane);
                 }
@@ -236,6 +236,7 @@ static int decode_frame(AVCodecContext *avctx,
         av_log_ask_for_sample(s, "uncompressed image\n");
         return avpkt->size;
     }
+finish:
 
     *data_size = sizeof(AVFrame);
     *(AVFrame*)data = s->frame;