avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it

avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it

Fixes: 04715144ba237443010554be0d05343f/asan_heap-oob_1eafc76_1737_c685b48041a563461839e4e7ab97abb8.jpg
Fixes out of array access

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
[sunweaver] Re-based for libav 11.12 in Debian jessie LTS.

Gbp-Pq: Name CVE-2015-8216.patch

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 6412340c00cd8dea3d3f310777be3fc708e1c096..7aedd2a14ff5b61f32397d8b5e2c762a8788caf9 100644 (file)
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -768,6 +768,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
 
                     for (j = 0; j < n; j++) {
                         int pred;
+                        if (   h * mb_x + x >= s->width
+                            || v * mb_y + y >= s->height) {
+                            // Nothing to do
+                        } else {
                         // FIXME optimize this crap
                         ptr = s->picture_ptr->data[c] +
                               (linesize * (v * mb_y + y)) +
@@ -788,6 +792,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
                         if (s->interlaced && s->bottom_field)
                             ptr += linesize >> 1;
                         *ptr = pred + (mjpeg_decode_dc(s, s->dc_index[i]) << point_transform);
+                        }
 
                         if (++x == h) {
                             x = 0;