1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-11-26 19:01:44 +02:00

avcodec/msrle: use av_image_get_linesize() to calculate the linesize

Fixes out of array access
Fixes: 14a74a0a2dc67ede543f0e35d834fbbe-asan_heap-oob_49572c_556_cov_215466444_44_001_engine_room.mov
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2014-02-16 23:08:52 +01:00
parent 2218fbe05e
commit c919e1ca2e

View File

@ -35,6 +35,7 @@
#include "avcodec.h" #include "avcodec.h"
#include "internal.h" #include "internal.h"
#include "msrledec.h" #include "msrledec.h"
#include "libavutil/imgutils.h"
typedef struct MsrleContext { typedef struct MsrleContext {
AVCodecContext *avctx; AVCodecContext *avctx;
@ -110,7 +111,7 @@ static int msrle_decode_frame(AVCodecContext *avctx,
/* FIXME how to correctly detect RLE ??? */ /* FIXME how to correctly detect RLE ??? */
if (avctx->height * istride == avpkt->size) { /* assume uncompressed */ if (avctx->height * istride == avpkt->size) { /* assume uncompressed */
int linesize = (avctx->width * avctx->bits_per_coded_sample + 7) / 8; int linesize = av_image_get_linesize(avctx->pix_fmt, avctx->width, 0);
uint8_t *ptr = s->frame->data[0]; uint8_t *ptr = s->frame->data[0];
uint8_t *buf = avpkt->data + (avctx->height-1)*istride; uint8_t *buf = avpkt->data + (avctx->height-1)*istride;
int i, j; int i, j;