pictordec: break out of both decoding loops when y drops below 0

Otherwise picmemset can get called with negative y, resulting in an invalid write. Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org (cherry picked from commit 5f7aecde02a95451e514c809f2794c1deba80695) Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
author: Anton Khirnov <anton@khirnov.net> 2013-08-24 21:30:46 +0200
committer: Luca Barbato <lu_zero@gentoo.org> 2013-09-07 10:13:48 +0200
commit: 8dc4b2c92e492aa172327d10c926d5ca3a04371c (patch)
tree: 48e09835b65f653f0951fdb0dfcf2a2a2ca385e9
parent: 251b4655be73f4b5e86d3e81d61abb5787b1262b (diff)
download: ffmpeg-8dc4b2c92e492aa172327d10c926d5ca3a04371c.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c
index 16f930730b..f88fc52f1b 100644
--- a/libavcodec/pictordec.c
+++ b/libavcodec/pictordec.c
@@ -227,7 +227,7 @@ static int decode_frame(AVCodecContext *avctx,
                 if (bits_per_plane == 8) {
                     picmemset_8bpp(s, val, run, &x, &y);
                     if (y < 0)
-                        break;
+                        goto finish;
                 } else {
                     picmemset(s, val, run, &x, &y, &plane, bits_per_plane);
                 }
@@ -237,6 +237,7 @@ static int decode_frame(AVCodecContext *avctx,
         av_log_ask_for_sample(s, "uncompressed image\n");
         return avpkt->size;
     }
+finish:
 
     *got_frame      = 1;
     *(AVFrame*)data = s->frame;
author	Anton Khirnov <anton@khirnov.net>	2013-08-24 21:30:46 +0200
committer	Luca Barbato <lu_zero@gentoo.org>	2013-09-07 10:13:48 +0200
commit	8dc4b2c92e492aa172327d10c926d5ca3a04371c (patch)
tree	48e09835b65f653f0951fdb0dfcf2a2a2ca385e9
parent	251b4655be73f4b5e86d3e81d61abb5787b1262b (diff)
download	ffmpeg-8dc4b2c92e492aa172327d10c926d5ca3a04371c.tar.gz