From d24888ef19ba38b787b11d1ee091a3d94920c76a Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 4 Nov 2015 18:08:52 +0100
Subject: [PATCH] avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan()
before using it
Fixes: 04715144ba237443010554be0d05343f/asan_heap-oob_1eafc76_1737_c685b48041a563461839e4e7ab97abb8.jpg
Fixes out of array access
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/mjpegdec.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index e17b21357f4..6dfe8328655 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -1093,7 +1093,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
dc = mjpeg_decode_dc(s, s->dc_index[i]);
if(dc == 0xFFFFF)
return -1;
- if(bits<=8){
+ if ( h * mb_x + x >= s->width
+ || v * mb_y + y >= s->height) {
+ // Nothing to do
+ } else if (bits<=8) {
ptr = s->picture_ptr->data[c] + (linesize * (v * mb_y + y)) + (h * mb_x + x); //FIXME optimize this crap
if(y==0 && toprow){
if(x==0 && leftcol){
@@ -1161,7 +1164,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
dc = mjpeg_decode_dc(s, s->dc_index[i]);
if(dc == 0xFFFFF)
return -1;
- if(bits<=8){
+ if ( h * mb_x + x >= s->width
+ || v * mb_y + y >= s->height) {
+ // Nothing to do
+ } else if (bits<=8) {
ptr = s->picture_ptr->data[c] +
(linesize * (v * mb_y + y)) +
(h * mb_x + x); //FIXME optimize this crap
--
GitLab