Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame^] | 1 | gst-ffmpeg: pngdec/filter: dont access out of array elements at the end |
| 2 | |
| 3 | Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind |
| 4 | |
| 5 | Upstream-Status: Backport |
| 6 | |
| 7 | Signed-off-by: Yue Tao <yue.tao@windriver.com> |
| 8 | --- |
| 9 | libavcodec/pngdec.c | 12 ++++-------- |
| 10 | 1 files changed, 4 insertions(+), 8 deletions(-) |
| 11 | |
| 12 | diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c |
| 13 | index 97c0ad1..193e35e 100644 |
| 14 | --- a/gst-libs/ext/libav/libavcodec/pngdec.c |
| 15 | +++ b/gst-libs/ext/libav/libavcodec/pngdec.c |
| 16 | @@ -190,7 +190,7 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w |
| 17 | if(bpp >= 2) g = dst[1];\ |
| 18 | if(bpp >= 3) b = dst[2];\ |
| 19 | if(bpp >= 4) a = dst[3];\ |
| 20 | - for(; i < size; i+=bpp) {\ |
| 21 | + for(; i <= size - bpp; i+=bpp) {\ |
| 22 | dst[i+0] = r = op(r, src[i+0], last[i+0]);\ |
| 23 | if(bpp == 1) continue;\ |
| 24 | dst[i+1] = g = op(g, src[i+1], last[i+1]);\ |
| 25 | @@ -206,13 +206,9 @@ void ff_add_png_paeth_prediction(uint8_t *dst, uint8_t *src, uint8_t *top, int w |
| 26 | else if(bpp == 2) UNROLL1(2, op)\ |
| 27 | else if(bpp == 3) UNROLL1(3, op)\ |
| 28 | else if(bpp == 4) UNROLL1(4, op)\ |
| 29 | - else {\ |
| 30 | - for (; i < size; i += bpp) {\ |
| 31 | - int j;\ |
| 32 | - for (j = 0; j < bpp; j++)\ |
| 33 | - dst[i+j] = op(dst[i+j-bpp], src[i+j], last[i+j]);\ |
| 34 | - }\ |
| 35 | - } |
| 36 | + for (; i < size; i++) {\ |
| 37 | + dst[i] = op(dst[i-bpp], src[i], last[i]);\ |
| 38 | + }\ |
| 39 | |
| 40 | /* NOTE: 'dst' can be equal to 'last' */ |
| 41 | static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type, |
| 42 | -- |
| 43 | 1.7.5.4 |
| 44 | |