Fixes invalid writes with very small image heights.
CC: libav-stable@libav.org
Bug-ID: CVE-2014-8547
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Anton Khirnov <anton@khirnov.net>
case 1:
y1 += 8;
ptr += linesize * 8;
- if (y1 >= height) {
- y1 = pass ? 2 : 4;
- ptr = ptr1 + linesize * y1;
- pass++;
- }
break;
case 2:
y1 += 4;
ptr += linesize * 4;
- if (y1 >= height) {
- y1 = 1;
- ptr = ptr1 + linesize;
- pass++;
- }
break;
case 3:
y1 += 2;
ptr += linesize * 2;
break;
}
+ while (y1 >= height) {
+ y1 = 4 >> pass;
+ ptr = ptr1 + linesize * y1;
+ pass++;
+ }
} else {
ptr += linesize;
}