ffmpeg | branch: release/2.8 | Michael Niedermayer <mich...@niedermayer.cc> | Wed Nov 4 18:08:52 2015 +0100| [fdb884263974b19584a4f37508d71bc60189f512] | committer: Michael Niedermayer
avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it Fixes: 04715144ba237443010554be0d05343f/asan_heap-oob_1eafc76_1737_c685b48041a563461839e4e7ab97abb8.jpg Fixes out of array access Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> (cherry picked from commit d24888ef19ba38b787b11d1ee091a3d94920c76a) Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fdb884263974b19584a4f37508d71bc60189f512 --- libavcodec/mjpegdec.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index 61c8a5e..1fb077a 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -1093,7 +1093,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, dc = mjpeg_decode_dc(s, s->dc_index[i]); if(dc == 0xFFFFF) return -1; - if(bits<=8){ + if ( h * mb_x + x >= s->width + || v * mb_y + y >= s->height) { + // Nothing to do + } else if (bits<=8) { ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap if(y==0 && toprow){ if(x==0 && leftcol){ @@ -1161,7 +1164,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor, dc = mjpeg_decode_dc(s, s->dc_index[i]); if(dc == 0xFFFFF) return -1; - if(bits<=8){ + if ( h * mb_x + x >= s->width + || v * mb_y + y >= s->height) { + // Nothing to do + } else if (bits<=8) { ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog
