smvjpegdec: make sure cur_frame is not negative

This fixes a heap-buffer-overflow detected by AddressSanitizer. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>

smvjpegdec: make sure cur_frame is not negative
This fixes a heap-buffer-overflow detected by AddressSanitizer. Reviewed-by: Michael Niedermayer <michael@niedermayer.cc> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
360bc0d9 · Andreas Cadhalpun · 005d058f · 360bc0d9
Commit 360bc0d9 authored Nov 10, 2016 by Andreas Cadhalpun
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

smvjpegdec.c libavcodec/smvjpegdec.c +4 -0

No files found.
--- a/libavcodec/smvjpegdec.c
+++ b/libavcodec/smvjpegdec.c
@@ -152,6 +152,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz

    cur_frame = avpkt->pts % s->frames_per_jpeg;

+    /* cur_frame is later used to calculate the buffer offset, so it mustn't be negative */
+    if (cur_frame < 0)
+        cur_frame += s->frames_per_jpeg;
+
    /* Are we at the start of a block? */
    if (!cur_frame) {
        av_frame_unref(mjpeg_data);