[FFmpeg-cvslog] avcodec/lagarith: fix chroma plane width & height

Michael Niedermayer git at videolan.org
Mon Nov 10 18:03:28 CET 2014 

ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Mon Nov 10 17:30:44 2014 +0100| [e981de81fea7b2c07ae178b917305184f6596430] | committer: Michael Niedermayer

avcodec/lagarith: fix chroma plane width & height

Fixes out of array read
Fixes: asan_heap-oob_1bf48fa_2513_lag-yuy2.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e981de81fea7b2c07ae178b917305184f6596430
---

 libavcodec/lagarith.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c
index a08d7fd..5f97d0f 100644
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -675,10 +675,10 @@ static int lag_decode_frame(AVCodecContext *avctx,
         lag_decode_arith_plane(l, p->data[0], avctx->width, avctx->height,
                                p->linesize[0], buf + offset_ry,
                                buf_size - offset_ry);
-        lag_decode_arith_plane(l, p->data[1], avctx->width / 2,
+        lag_decode_arith_plane(l, p->data[1], (avctx->width + 1) / 2,
                                avctx->height, p->linesize[1],
                                buf + offset_gu, buf_size - offset_gu);
-        lag_decode_arith_plane(l, p->data[2], avctx->width / 2,
+        lag_decode_arith_plane(l, p->data[2], (avctx->width + 1) / 2,
                                avctx->height, p->linesize[2],
                                buf + offset_bv, buf_size - offset_bv);
         break;
@@ -702,11 +702,11 @@ static int lag_decode_frame(AVCodecContext *avctx,
         lag_decode_arith_plane(l, p->data[0], avctx->width, avctx->height,
                                p->linesize[0], buf + offset_ry,
                                buf_size - offset_ry);
-        lag_decode_arith_plane(l, p->data[2], avctx->width / 2,
-                               avctx->height / 2, p->linesize[2],
+        lag_decode_arith_plane(l, p->data[2], (avctx->width + 1) / 2,
+                               (avctx->height + 1) / 2, p->linesize[2],
                                buf + offset_gu, buf_size - offset_gu);
-        lag_decode_arith_plane(l, p->data[1], avctx->width / 2,
-                               avctx->height / 2, p->linesize[1],
+        lag_decode_arith_plane(l, p->data[1], (avctx->width + 1) / 2,
+                               (avctx->height + 1) / 2, p->linesize[1],
                                buf + offset_bv, buf_size - offset_bv);
         break;
     default:

More information about the ffmpeg-cvslog mailing list