[libav-stable] pictordec: break out of both decoding loops when y drops below 0

Anton Khirnov git at libav.org
Mon Sep 2 19:48:43 CEST 2013


Module: libav
Branch: master
Commit: 5f7aecde02a95451e514c809f2794c1deba80695

Author:    Anton Khirnov <anton at khirnov.net>
Committer: Anton Khirnov <anton at khirnov.net>
Date:      Sat Aug 24 21:30:46 2013 +0200

pictordec: break out of both decoding loops when y drops below 0

Otherwise picmemset can get called with negative y, resulting in an
invalid write.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org

---

 libavcodec/pictordec.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c
index 2a6e391..20ddb20 100644
--- a/libavcodec/pictordec.c
+++ b/libavcodec/pictordec.c
@@ -226,7 +226,7 @@ static int decode_frame(AVCodecContext *avctx,
                 if (bits_per_plane == 8) {
                     picmemset_8bpp(s, frame, val, run, &x, &y);
                     if (y < 0)
-                        break;
+                        goto finish;
                 } else {
                     picmemset(s, frame, val, run, &x, &y, &plane, bits_per_plane);
                 }
@@ -236,6 +236,7 @@ static int decode_frame(AVCodecContext *avctx,
         avpriv_request_sample(s, "Uncompressed image");
         return avpkt->size;
     }
+finish:
 
     *got_frame      = 1;
     return avpkt->size;



More information about the libav-stable mailing list