smvjpegdec: make sure cur_frame is not negative

This fixes a heap-buffer-overflow detected by AddressSanitizer. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 360bc0d90aa66cf21e9f488e77d21db18e01ec9c) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
author: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2016-11-10 22:09:03 +0100
committer: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2016-11-27 00:46:34 +0100
commit: f76947fd567f20287bc8ca8e692a59026bac19e7 (patch)
tree: 60b4192471360af2ff4a168422b33484647c00af
parent: 71fa32bbb7478a865ba9e955393766f733fdda50 (diff)
download: ffmpeg-f76947fd567f20287bc8ca8e692a59026bac19e7.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/smvjpegdec.c b/libavcodec/smvjpegdec.c
index 9c2fb380e1..2235ed5dfd 100644
--- a/libavcodec/smvjpegdec.c
+++ b/libavcodec/smvjpegdec.c
@@ -152,6 +152,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz
 
     cur_frame = avpkt->pts % s->frames_per_jpeg;
 
+    /* cur_frame is later used to calculate the buffer offset, so it mustn't be negative */
+    if (cur_frame < 0)
+        cur_frame += s->frames_per_jpeg;
+
     /* Are we at the start of a block? */
     if (!cur_frame) {
         av_frame_unref(mjpeg_data);
author	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-10 22:09:03 +0100
committer	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:46:34 +0100
commit	f76947fd567f20287bc8ca8e692a59026bac19e7 (patch)
tree	60b4192471360af2ff4a168422b33484647c00af
parent	71fa32bbb7478a865ba9e955393766f733fdda50 (diff)
download	ffmpeg-f76947fd567f20287bc8ca8e692a59026bac19e7.tar.gz