[FFmpeg-cvslog] avcodec/pngenc: Fix mixed up linesizes
    Michael Niedermayer 
    git at videolan.org
       
    Fri Jan 15 16:23:56 CET 2016
    
    
  
ffmpeg | branch: release/2.8 | Michael Niedermayer <michael at niedermayer.cc> | Fri Jan 15 00:57:00 2016 +0100| [4676e20a9da6add1886a9ae11389f9b9471cbacc] | committer: Michael Niedermayer
avcodec/pngenc: Fix mixed up linesizes
Fixes out of array accesses
Fixes: 0cf176e6d3ab9fe924f39738e513f547/asan_generic_4a54aa_3431_aaa28be1cb32e307a9890cad06f84fba.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 8f4c3e4b92212d98f5b9ca2dee13e076effe9589)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4676e20a9da6add1886a9ae11389f9b9471cbacc
---
 libavcodec/pngenc.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c
index ef78d76..edc9011 100644
--- a/libavcodec/pngenc.c
+++ b/libavcodec/pngenc.c
@@ -751,7 +751,7 @@ static int apng_encode_frame(AVCodecContext *avctx, const AVFrame *pict,
 
                 if (last_fctl_chunk.dispose_op == APNG_DISPOSE_OP_BACKGROUND) {
                     for (y = last_fctl_chunk.y_offset; y < last_fctl_chunk.y_offset + last_fctl_chunk.height; ++y) {
-                        size_t row_start = s->last_frame->linesize[0] * y + bpp * last_fctl_chunk.x_offset;
+                        size_t row_start = diffFrame->linesize[0] * y + bpp * last_fctl_chunk.x_offset;
                         memset(diffFrame->data[0] + row_start, 0, bpp * last_fctl_chunk.width);
                     }
                 }
@@ -926,7 +926,7 @@ static int encode_apng(AVCodecContext *avctx, AVPacket *pkt,
                 uint32_t y;
                 uint8_t bpp = (s->bits_per_pixel + 7) >> 3;
                 for (y = s->last_frame_fctl.y_offset; y < s->last_frame_fctl.y_offset + s->last_frame_fctl.height; ++y) {
-                    size_t row_start = s->last_frame->linesize[0] * y + bpp * s->last_frame_fctl.x_offset;
+                    size_t row_start = s->prev_frame->linesize[0] * y + bpp * s->last_frame_fctl.x_offset;
                     memset(s->prev_frame->data[0] + row_start, 0, bpp * s->last_frame_fctl.width);
                 }
             }
    
    
More information about the ffmpeg-cvslog
mailing list