[FFmpeg-cvslog] avcodec/pngdec: Fix paeth prediction with small images

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Wed Nov 26 17:00:17 2014 +0100| [9a53707e86eb066e1c77460215c716f7962c71e7] | committer: Michael Niedermayer

avcodec/pngdec: Fix paeth prediction with small images

Fixes out of array read
Fixes: asan_heap-oob_20b0a06_1962_cov_1907976991_delete_node_small.png
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=9a53707e86eb066e1c77460215c716f7962c71e7
---

 libavcodec/pngdec.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index f80a3fe..35dcd76 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -267,8 +267,10 @@ static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type,
             /* would write off the end of the array if we let it process
              * the last pixel with bpp=3 */
             int w = bpp == 4 ? size : size - 3;
-            dsp->add_paeth_prediction(dst + i, src + i, last + i, w - i, bpp);
-            i = w;
+            if (w > i) {
+                dsp->add_paeth_prediction(dst + i, src + i, last + i, w - i, bpp);
+                i = w;
+            }
         }
         ff_add_png_paeth_prediction(dst + i, src + i, last + i, size - i, bpp);
         break;