From 360bc0d90aa66cf21e9f488e77d21db18e01ec9c Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Thu, 10 Nov 2016 22:09:03 +0100
Subject: [PATCH] smvjpegdec: make sure cur_frame is not negative

This fixes a heap-buffer-overflow detected by AddressSanitizer.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavcodec/smvjpegdec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/smvjpegdec.c b/libavcodec/smvjpegdec.c
index 9057e86161c..e319e5781b6 100644
--- a/libavcodec/smvjpegdec.c
+++ b/libavcodec/smvjpegdec.c
@@ -152,6 +152,10 @@ static int smvjpeg_decode_frame(AVCodecContext *avctx, void *data, int *data_siz
 
     cur_frame = avpkt->pts % s->frames_per_jpeg;
 
+    /* cur_frame is later used to calculate the buffer offset, so it mustn't be negative */
+    if (cur_frame < 0)
+        cur_frame += s->frames_per_jpeg;
+
     /* Are we at the start of a block? */
     if (!cur_frame) {
         av_frame_unref(mjpeg_data);
-- 
GitLab