smvjpegdec: make sure cur_frame is not negative

This fixes a heap-buffer-overflow detected by AddressSanitizer. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
author: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2016-11-10 22:09:03 +0100
committer: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2016-11-12 01:36:47 +0100
commit: 360bc0d90aa66cf21e9f488e77d21db18e01ec9c (patch)
tree: 0f13a55f5d04df5efefdc88149114849e1d6dfce
parent: 005d058f4230f3207ebcf1131df7426d4f57392f (diff)
download: ffmpeg-360bc0d90aa66cf21e9f488e77d21db18e01ec9c.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/smvjpegdec.c b/libavcodec/smvjpegdec.c
index 9057e86161..e319e5781b 100644
--- a/libavcodec/smvjpegdec.c
+++ b/libavcodec/smvjpegdec.c
@@ -152,6 +152,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz
 
     cur_frame = avpkt->pts % s->frames_per_jpeg;
 
+    /* cur_frame is later used to calculate the buffer offset, so it mustn't be negative */
+    if (cur_frame < 0)
+        cur_frame += s->frames_per_jpeg;
+
     /* Are we at the start of a block? */
     if (!cur_frame) {
         av_frame_unref(mjpeg_data);
author	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-10 22:09:03 +0100
committer	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-12 01:36:47 +0100
commit	360bc0d90aa66cf21e9f488e77d21db18e01ec9c (patch)
tree	0f13a55f5d04df5efefdc88149114849e1d6dfce
parent	005d058f4230f3207ebcf1131df7426d4f57392f (diff)
download	ffmpeg-360bc0d90aa66cf21e9f488e77d21db18e01ec9c.tar.gz