From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 4 Nov 2015 16:08:52 +0000 (+0100)
Subject: avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it
X-Git-Tag: archive/raspbian/6%11.12-1_deb8u6+rpi1^2~39
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=1bcd90a4443d986bb8a452ddf564872e5ce62316;p=libav.git

avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it

avcodec/mjpegdec: Check index in ljpeg_decode_yuv_scan() before using it

Fixes: 04715144ba237443010554be0d05343f/asan_heap-oob_1eafc76_1737_c685b48041a563461839e4e7ab97abb8.jpg
Fixes out of array access

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

[sunweaver] Re-based for libav 11.12 in Debian jessie LTS.


Gbp-Pq: Name CVE-2015-8216.patch
---

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 6412340..7aedd2a 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -768,6 +768,10 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
 
                     for (j = 0; j < n; j++) {
                         int pred;
+                        if (   h * mb_x + x >= s->width
+                            || v * mb_y + y >= s->height) {
+                            // Nothing to do
+                        } else {
                         // FIXME optimize this crap
                         ptr = s->picture_ptr->data[c] +
                               (linesize * (v * mb_y + y)) +
@@ -788,6 +792,7 @@ static int ljpeg_decode_yuv_scan(MJpegDecodeContext *s, int predictor,
                         if (s->interlaced && s->bottom_field)
                             ptr += linesize >> 1;
                         *ptr = pred + (mjpeg_decode_dc(s, s->dc_index[i]) << point_transform);
+                        }
 
                         if (++x == h) {
                             x = 0;