Commit 5f7aecde authored by Anton Khirnov's avatar Anton Khirnov

pictordec: break out of both decoding loops when y drops below 0

Otherwise picmemset can get called with negative y, resulting in an
invalid write.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
parent 8aba7968
...@@ -226,7 +226,7 @@ static int decode_frame(AVCodecContext *avctx, ...@@ -226,7 +226,7 @@ static int decode_frame(AVCodecContext *avctx,
if (bits_per_plane == 8) { if (bits_per_plane == 8) {
picmemset_8bpp(s, frame, val, run, &x, &y); picmemset_8bpp(s, frame, val, run, &x, &y);
if (y < 0) if (y < 0)
break; goto finish;
} else { } else {
picmemset(s, frame, val, run, &x, &y, &plane, bits_per_plane); picmemset(s, frame, val, run, &x, &y, &plane, bits_per_plane);
} }
...@@ -236,6 +236,7 @@ static int decode_frame(AVCodecContext *avctx, ...@@ -236,6 +236,7 @@ static int decode_frame(AVCodecContext *avctx,
avpriv_request_sample(s, "Uncompressed image"); avpriv_request_sample(s, "Uncompressed image");
return avpkt->size; return avpkt->size;
} }
finish:
*got_frame = 1; *got_frame = 1;
return avpkt->size; return avpkt->size;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment