Message ID | db076b57-7e16-8a60-be5b-89971527e688@googlemail.com |
---|---|
State | Accepted |
Commit | 360bc0d90aa66cf21e9f488e77d21db18e01ec9c |
Headers | show |
On Thu, Nov 10, 2016 at 10:14:04PM +0100, Andreas Cadhalpun wrote: > This fixes a heap-buffer-overflow detected by AddressSanitizer. > > Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> > --- > libavcodec/smvjpegdec.c | 4 ++++ > 1 file changed, 4 insertions(+) LGTM thx [...]
On 11.11.2016 01:58, Michael Niedermayer wrote: > On Thu, Nov 10, 2016 at 10:14:04PM +0100, Andreas Cadhalpun wrote: >> This fixes a heap-buffer-overflow detected by AddressSanitizer. >> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> >> --- >> libavcodec/smvjpegdec.c | 4 ++++ >> 1 file changed, 4 insertions(+) > > LGTM Pushed. Best regards, Andreas
diff --git a/libavcodec/smvjpegdec.c b/libavcodec/smvjpegdec.c index 9057e86..e319e57 100644 --- a/libavcodec/smvjpegdec.c +++ b/libavcodec/smvjpegdec.c @@ -152,6 +152,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz cur_frame = avpkt->pts % s->frames_per_jpeg; + /* cur_frame is later used to calculate the buffer offset, so it mustn't be negative */ + if (cur_frame < 0) + cur_frame += s->frames_per_jpeg; + /* Are we at the start of a block? */ if (!cur_frame) { av_frame_unref(mjpeg_data);
This fixes a heap-buffer-overflow detected by AddressSanitizer. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> --- libavcodec/smvjpegdec.c | 4 ++++ 1 file changed, 4 insertions(+)