Browse code
avcodec/pngenc: Fix mixed up linesizes
Fixes out of array accesses
Fixes: 0cf176e6d3ab9fe924f39738e513f547/asan_generic_4a54aa_3431_aaa28be1cb32e307a9890cad06f84fba.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 8f4c3e4b92212d98f5b9ca2dee13e076effe9589)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer authored on 2016/01/15 08:57:00Showing 1 changed files
| ... | ... |
@@ -751,7 +751,7 @@ static int apng_encode_frame(AVCodecContext *avctx, const AVFrame *pict, |
| 751 | 751 |
|
| 752 | 752 |
if (last_fctl_chunk.dispose_op == APNG_DISPOSE_OP_BACKGROUND) {
|
| 753 | 753 |
for (y = last_fctl_chunk.y_offset; y < last_fctl_chunk.y_offset + last_fctl_chunk.height; ++y) {
|
| 754 |
- size_t row_start = s->last_frame->linesize[0] * y + bpp * last_fctl_chunk.x_offset; |
|
| 754 |
+ size_t row_start = diffFrame->linesize[0] * y + bpp * last_fctl_chunk.x_offset; |
|
| 755 | 755 |
memset(diffFrame->data[0] + row_start, 0, bpp * last_fctl_chunk.width); |
| 756 | 756 |
} |
| 757 | 757 |
} |
| ... | ... |
@@ -926,7 +926,7 @@ static int encode_apng(AVCodecContext *avctx, AVPacket *pkt, |
| 926 | 926 |
uint32_t y; |
| 927 | 927 |
uint8_t bpp = (s->bits_per_pixel + 7) >> 3; |
| 928 | 928 |
for (y = s->last_frame_fctl.y_offset; y < s->last_frame_fctl.y_offset + s->last_frame_fctl.height; ++y) {
|
| 929 |
- size_t row_start = s->last_frame->linesize[0] * y + bpp * s->last_frame_fctl.x_offset; |
|
| 929 |
+ size_t row_start = s->prev_frame->linesize[0] * y + bpp * s->last_frame_fctl.x_offset; |
|
| 930 | 930 |
memset(s->prev_frame->data[0] + row_start, 0, bpp * s->last_frame_fctl.width); |
| 931 | 931 |
} |
| 932 | 932 |
} |