pictordec: break out of both decoding loops when y drops below 0
authorAnton Khirnov <anton@khirnov.net>
Sat, 24 Aug 2013 19:30:46 +0000 (21:30 +0200)
committerSean McGovern <gseanmcg@gmail.com>
Mon, 23 Sep 2013 23:46:49 +0000 (19:46 -0400)
Otherwise picmemset can get called with negative y, resulting in an
invalid write.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit 5f7aecde02a95451e514c809f2794c1deba80695)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
libavcodec/pictordec.c

index e0bc899..88add16 100644 (file)
@@ -226,7 +226,7 @@ static int decode_frame(AVCodecContext *avctx,
                 if (bits_per_plane == 8) {
                     picmemset_8bpp(s, val, run, &x, &y);
                     if (y < 0)
-                        break;
+                        goto finish;
                 } else {
                     picmemset(s, val, run, &x, &y, &plane, bits_per_plane);
                 }
@@ -236,6 +236,7 @@ static int decode_frame(AVCodecContext *avctx,
         av_log_ask_for_sample(s, "uncompressed image\n");
         return avpkt->size;
     }
+finish:
 
     *data_size = sizeof(AVFrame);
     *(AVFrame*)data = s->frame;