har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/mjpegdec: use the correct linesize in the flipping code

Browse Source 
Fixes out of array access
No releases should be affected
Depends on 7c3700cd1d8683966b21fffbf02e326d0bd14e06, do not backport without this one

Fixes: asan_heap-oob_14a37fe_9111_cov_1692584941_test4.amv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2014-01-31 20:59:57 +01:00
parent f58eab1512
commit 19b41f8645
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
libavcodec/mjpegdec.c
View File

@ -2052,12 +2052,12 @@ the_end:
h = FF_CEIL_RSHIFT(h, vshift); h = FF_CEIL_RSHIFT(h, vshift);
} }
if(dst){ if(dst){
uint8_t *dst2 = dst + s->linesize[index]*(h-1); uint8_t *dst2 = dst + s->picture_ptr->linesize[index]*(h-1);
for (i=0; i<h/2; i++) { for (i=0; i<h/2; i++) {
for (j=0; j<w; j++) for (j=0; j<w; j++)
FFSWAP(int, dst[j], dst2[j]); FFSWAP(int, dst[j], dst2[j]);
dst += s->linesize[index]; dst += s->picture_ptr->linesize[index];
dst2 -= s->linesize[index]; dst2 -= s->picture_ptr->linesize[index];
} }
} }
} }