diff options
author | Anton Khirnov <anton@khirnov.net> | 2013-08-24 21:30:46 +0200 |
---|---|---|
committer | Anton Khirnov <anton@khirnov.net> | 2013-09-02 19:27:45 +0200 |
commit | 5f7aecde02a95451e514c809f2794c1deba80695 (patch) | |
tree | 64a64710d4e29f8ab6eea24666ec18299a4d79c5 | |
parent | 8aba7968dd604aae91ee42cbce0be3dad7dceb30 (diff) | |
download | ffmpeg-5f7aecde02a95451e514c809f2794c1deba80695.tar.gz |
pictordec: break out of both decoding loops when y drops below 0
Otherwise picmemset can get called with negative y, resulting in an
invalid write.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
-rw-r--r-- | libavcodec/pictordec.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c index 2a6e39158b..20ddb20b15 100644 --- a/libavcodec/pictordec.c +++ b/libavcodec/pictordec.c @@ -226,7 +226,7 @@ static int decode_frame(AVCodecContext *avctx, if (bits_per_plane == 8) { picmemset_8bpp(s, frame, val, run, &x, &y); if (y < 0) - break; + goto finish; } else { picmemset(s, frame, val, run, &x, &y, &plane, bits_per_plane); } @@ -236,6 +236,7 @@ static int decode_frame(AVCodecContext *avctx, avpriv_request_sample(s, "Uncompressed image"); return avpkt->size; } +finish: *got_frame = 1; return avpkt->size; |