avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it
Fixes: 04715144ba237443010554be0d05343f/asan_heap-oob_1eafc76_1737_c685b48041a563461839e4e7ab97abb8.jpg
Fixes out of array access
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d24888ef19)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
@@ -1066,7 +1066,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
|
|||||||
dc = mjpeg_decode_dc(s, s->dc_index[i]);
|
dc = mjpeg_decode_dc(s, s->dc_index[i]);
|
||||||
if(dc == 0xFFFFF)
|
if(dc == 0xFFFFF)
|
||||||
return -1;
|
return -1;
|
||||||
if(bits<=8){
|
if ( h * mb_x + x >= s->width
|
||||||
|
|| v * mb_y + y >= s->height) {
|
||||||
|
// Nothing to do
|
||||||
|
} else if (bits<=8) {
|
||||||
ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap
|
ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap
|
||||||
if(y==0 && toprow){
|
if(y==0 && toprow){
|
||||||
if(x==0 && leftcol){
|
if(x==0 && leftcol){
|
||||||
@@ -1134,7 +1137,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
|
|||||||
dc = mjpeg_decode_dc(s, s->dc_index[i]);
|
dc = mjpeg_decode_dc(s, s->dc_index[i]);
|
||||||
if(dc == 0xFFFFF)
|
if(dc == 0xFFFFF)
|
||||||
return -1;
|
return -1;
|
||||||
if(bits<=8){
|
if ( h * mb_x + x >= s->width
|
||||||
|
|| v * mb_y + y >= s->height) {
|
||||||
|
// Nothing to do
|
||||||
|
} else if (bits<=8) {
|
||||||
ptr = s->picture_ptr->data[c] +
|
ptr = s->picture_ptr->data[c] +
|
||||||
(linesize * (v * mb_y + y)) +
|
(linesize * (v * mb_y + y)) +
|
||||||
(h * mb_x + x); //FIXME optimize this crap
|
(h * mb_x + x); //FIXME optimize this crap
|
||||||
|
|||||||
Reference in New Issue
Block a user