generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

avcodec/lagarith: fix chroma plane width & height

Browse Source 
Fixes out of array read
Fixes: asan_heap-oob_1bf48fa_2513_lag-yuy2.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
2014-11-10 17:30:44 +01:00
parent 73f74f6b16
commit e981de81fe
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
libavcodec/lagarith.c
View File

@@ -675,10 +675,10 @@ static int lag_decode_frame(AVCodecContext *avctx,
lag_decode_arith_plane(l, p->data[0], avctx->width, avctx->height, lag_decode_arith_plane(l, p->data[0], avctx->width, avctx->height,
p->linesize[0], buf + offset_ry, p->linesize[0], buf + offset_ry,
buf_size - offset_ry); buf_size - offset_ry);
lag_decode_arith_plane(l, p->data[1], avctx->width / 2, lag_decode_arith_plane(l, p->data[1], (avctx->width + 1) / 2,
avctx->height, p->linesize[1], avctx->height, p->linesize[1],
buf + offset_gu, buf_size - offset_gu); buf + offset_gu, buf_size - offset_gu);
lag_decode_arith_plane(l, p->data[2], avctx->width / 2, lag_decode_arith_plane(l, p->data[2], (avctx->width + 1) / 2,
avctx->height, p->linesize[2], avctx->height, p->linesize[2],
buf + offset_bv, buf_size - offset_bv); buf + offset_bv, buf_size - offset_bv);
break; break;
@@ -702,11 +702,11 @@ static int lag_decode_frame(AVCodecContext *avctx,
lag_decode_arith_plane(l, p->data[0], avctx->width, avctx->height, lag_decode_arith_plane(l, p->data[0], avctx->width, avctx->height,
p->linesize[0], buf + offset_ry, p->linesize[0], buf + offset_ry,
buf_size - offset_ry); buf_size - offset_ry);
lag_decode_arith_plane(l, p->data[2], avctx->width / 2, lag_decode_arith_plane(l, p->data[2], (avctx->width + 1) / 2,
avctx->height / 2, p->linesize[2], (avctx->height + 1) / 2, p->linesize[2],
buf + offset_gu, buf_size - offset_gu); buf + offset_gu, buf_size - offset_gu);
lag_decode_arith_plane(l, p->data[1], avctx->width / 2, lag_decode_arith_plane(l, p->data[1], (avctx->width + 1) / 2,
avctx->height / 2, p->linesize[1], (avctx->height + 1) / 2, p->linesize[1],
buf + offset_bv, buf_size - offset_bv); buf + offset_bv, buf_size - offset_bv);
break; break;
default: default: