Message ID | GV1P250MB07376CEB965ECB5CDA59F6068F549@GV1P250MB0737.EURP250.PROD.OUTLOOK.COM |
---|---|
State | Accepted |
Commit | 042c1966da4dfb95a3d8adc3358d16bb99a21282 |
Headers | show |
Series | [FFmpeg-devel] avcodec/pngdec: Don't use unsigned for width, height | expand |
Andreas Rheinhardt: > Otherwise p->linesize[0] * y will be evaluated as an unsigned > which leads to segfaults in case linesize is negative. > This happens in the apng-dispose-previous FATE-test in case > one makes get_buffer return pictures with negative linesizes. > > Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> > --- > libavcodec/pngdec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c > index 582953d17b..3c3eca601e 100644 > --- a/libavcodec/pngdec.c > +++ b/libavcodec/pngdec.c > @@ -1387,7 +1387,7 @@ exit_loop: > if (s->has_trns && s->color_type != PNG_COLOR_TYPE_PALETTE) { > size_t byte_depth = s->bit_depth > 8 ? 2 : 1; > size_t raw_bpp = s->bpp - byte_depth; > - unsigned x, y; > + ptrdiff_t x, y; > > av_assert0(s->bit_depth > 1); > Will apply this patch tomorrow unless there are objections. - Andreas
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c index 582953d17b..3c3eca601e 100644 --- a/libavcodec/pngdec.c +++ b/libavcodec/pngdec.c @@ -1387,7 +1387,7 @@ exit_loop: if (s->has_trns && s->color_type != PNG_COLOR_TYPE_PALETTE) { size_t byte_depth = s->bit_depth > 8 ? 2 : 1; size_t raw_bpp = s->bpp - byte_depth; - unsigned x, y; + ptrdiff_t x, y; av_assert0(s->bit_depth > 1);
Otherwise p->linesize[0] * y will be evaluated as an unsigned which leads to segfaults in case linesize is negative. This happens in the apng-dispose-previous FATE-test in case one makes get_buffer return pictures with negative linesizes. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com> --- libavcodec/pngdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)