On Mon, May 25, 2015 at 8:57 PM, Luca Barbato <[email protected]> wrote: > As done in msrle_decode_8_16_24_32. > > Bug-Id: CVE-2015-3395 > CC: [email protected] > --- > libavcodec/msrledec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/msrledec.c b/libavcodec/msrledec.c > index af2a247..370d9bd 100644 > --- a/libavcodec/msrledec.c > +++ b/libavcodec/msrledec.c > @@ -39,7 +39,7 @@ static int msrle_decode_pal4(AVCodecContext *avctx, > AVPicture *pic, > unsigned int pixel_ptr = 0; > int row_dec = pic->linesize[0]; > int row_ptr = (avctx->height - 1) * row_dec; > - int frame_size = row_dec * avctx->height; > + int frame_size = FFABS(row_dec) * avctx->height; > int i; > > while (row_ptr >= 0) { > -- > 2.3.2
oh those lovable negative linesizes! i think ok -- Vittorio _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
