avcodec/c93: Fix segfault when using negative linesizes

c93.c used an int for the stride and an unsigned for the current linenumber. This does not work when using negative linesizes. So use ptrdiff_t for stride and int for linenumber. This fixes the cyberia-c93 FATE test when using negative linesizes. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
2025-08-10 06:10:52 +02:00 · 2022-09-30 18:12:46 +02:00
parent ce4713ea73
commit fced3a17db
1 changed files with 8 additions and 7 deletions
--- a/libavcodec/c93.c
+++ b/libavcodec/c93.c
@@ -130,7 +130,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
    AVFrame * const oldpic = c93->pictures[c93->currentpic^1];
    GetByteContext gb;
    uint8_t *out;
-    int stride, ret, i, x, y, b, bt = 0;
+    int ret, i, x, y, b, bt = 0;
+    ptrdiff_t stride;

    if ((ret = ff_set_dimensions(avctx, WIDTH, HEIGHT)) < 0)
        return ret;
@@ -156,7 +157,6 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
        out = newpic->data[0] + y * stride;
        for (x = 0; x < WIDTH; x += 8) {
            uint8_t *copy_from = oldpic->data[0];
-            unsigned int offset, j;
            uint8_t cols[4], grps[4];
            C93BlockType block_type;

@@ -165,16 +165,17 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,

            block_type= bt & 0x0F;
            switch (block_type) {
-            case C93_8X8_FROM_PREV:
-                offset = bytestream2_get_le16(&gb);
+            case C93_8X8_FROM_PREV: {
+                int offset = bytestream2_get_le16(&gb);
                if ((ret = copy_block(avctx, out, copy_from, offset, 8, stride)) < 0)
                    return ret;
                break;
+            }

            case C93_4X4_FROM_CURR:
                copy_from = newpic->data[0];
            case C93_4X4_FROM_PREV:
-                for (j = 0; j < 8; j += 4) {
+                for (int j = 0; j < 8; j += 4) {
                    for (i = 0; i < 8; i += 4) {
                        int offset = bytestream2_get_le16(&gb);
                        int from_x = offset % WIDTH;
@@ -203,7 +204,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
            case C93_4X4_2COLOR:
            case C93_4X4_4COLOR:
            case C93_4X4_4COLOR_GRP:
-                for (j = 0; j < 8; j += 4) {
+                for (int j = 0; j < 8; j += 4) {
                    for (i = 0; i < 8; i += 4) {
                        if (block_type == C93_4X4_2COLOR) {
                            bytestream2_get_buffer(&gb, cols, 2);
@@ -226,7 +227,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
                break;

            case C93_8X8_INTRA:
-                for (j = 0; j < 8; j++)
+                for (int j = 0; j < 8; j++)
                    bytestream2_get_buffer(&gb, out + j*stride, 8);
                break;