smvjpegdec: make sure cur_frame is not negative

This fixes a heap-buffer-overflow detected by AddressSanitizer. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 360bc0d90aa66cf21e9f488e77d21db18e01ec9c) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
author: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2016-11-10 22:09:03 +0100
committer: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2016-11-27 00:38:57 +0100
commit: 69673d02790f7917d11055236ecfa20c9ff8771a (patch)
tree: d4b3da6c9a996a6aac3d567a7eedafc40de69632 /libavcodec
parent: 3047b0a4a3e749e62e413f8fc96ae2e9fe228477 (diff)
download: ffmpeg-69673d02790f7917d11055236ecfa20c9ff8771a.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/smvjpegdec.c b/libavcodec/smvjpegdec.c
index 9057e86161..e319e5781b 100644
--- a/libavcodec/smvjpegdec.c
+++ b/libavcodec/smvjpegdec.c
@@ -152,6 +152,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz
 
     cur_frame = avpkt->pts % s->frames_per_jpeg;
 
+    /* cur_frame is later used to calculate the buffer offset, so it mustn't be negative */
+    if (cur_frame < 0)
+        cur_frame += s->frames_per_jpeg;
+
     /* Are we at the start of a block? */
     if (!cur_frame) {
         av_frame_unref(mjpeg_data);
author	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-10 22:09:03 +0100
committer	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2016-11-27 00:38:57 +0100
commit	69673d02790f7917d11055236ecfa20c9ff8771a (patch)
tree	d4b3da6c9a996a6aac3d567a7eedafc40de69632 /libavcodec
parent	3047b0a4a3e749e62e413f8fc96ae2e9fe228477 (diff)
download	ffmpeg-69673d02790f7917d11055236ecfa20c9ff8771a.tar.gz