[FFmpeg-cvslog] pictordec: break out of both decoding loops when y drops below 0

Sat Sep 7 13:47:05 CEST 2013

ffmpeg | branch: release/1.1 | Anton Khirnov <anton at khirnov.net> | Sat Aug 24 21:30:46 2013 +0200| [8dc4b2c92e492aa172327d10c926d5ca3a04371c] | committer: Luca Barbato

pictordec: break out of both decoding loops when y drops below 0

Otherwise picmemset can get called with negative y, resulting in an
invalid write.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
(cherry picked from commit 5f7aecde02a95451e514c809f2794c1deba80695)
Signed-off-by: Luca Barbato <lu_zero at gentoo.org>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8dc4b2c92e492aa172327d10c926d5ca3a04371c
---

 libavcodec/pictordec.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c
index 16f9307..f88fc52 100644
--- a/libavcodec/pictordec.c
+++ b/libavcodec/pictordec.c
@@ -227,7 +227,7 @@ static int decode_frame(AVCodecContext *avctx,
                 if (bits_per_plane == 8) {
                     picmemset_8bpp(s, val, run, &x, &y);
                     if (y < 0)
-                        break;
+                        goto finish;
                 } else {
                     picmemset(s, val, run, &x, &y, &plane, bits_per_plane);
                 }
@@ -237,6 +237,7 @@ static int decode_frame(AVCodecContext *avctx,
         av_log_ask_for_sample(s, "uncompressed image\n");
         return avpkt->size;
     }
+finish:
 
     *got_frame      = 1;
     *(AVFrame*)data = s->frame;

