[FFmpeg-cvslog] avcodec/c93: Fix segfault when using negative linesizes

Andreas Rheinhardt git at videolan.org
Wed Oct 5 15:49:41 EEST 2022 

ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt at outlook.com> | Fri Sep 30 18:12:46 2022 +0200| [fced3a17dbdade0635fe900ad0b748c5278c01a2] | committer: Andreas Rheinhardt

avcodec/c93: Fix segfault when using negative linesizes

c93.c used an int for the stride and an unsigned for the current
linenumber. This does not work when using negative linesizes.
So use ptrdiff_t for stride and int for linenumber.

This fixes the cyberia-c93 FATE test when using negative linesizes.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fced3a17dbdade0635fe900ad0b748c5278c01a2
---

 libavcodec/c93.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/libavcodec/c93.c b/libavcodec/c93.c
index 66b551a5d6..bfcbc7c150 100644
--- a/libavcodec/c93.c
+++ b/libavcodec/c93.c
@@ -130,7 +130,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
     AVFrame * const oldpic = c93->pictures[c93->currentpic^1];
     GetByteContext gb;
     uint8_t *out;
-    int stride, ret, i, x, y, b, bt = 0;
+    int ret, i, x, y, b, bt = 0;
+    ptrdiff_t stride;
 
     if ((ret = ff_set_dimensions(avctx, WIDTH, HEIGHT)) < 0)
         return ret;
@@ -156,7 +157,6 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
         out = newpic->data[0] + y * stride;
         for (x = 0; x < WIDTH; x += 8) {
             uint8_t *copy_from = oldpic->data[0];
-            unsigned int offset, j;
             uint8_t cols[4], grps[4];
             C93BlockType block_type;
 
@@ -165,16 +165,17 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
 
             block_type= bt & 0x0F;
             switch (block_type) {
-            case C93_8X8_FROM_PREV:
-                offset = bytestream2_get_le16(&gb);
+            case C93_8X8_FROM_PREV: {
+                int offset = bytestream2_get_le16(&gb);
                 if ((ret = copy_block(avctx, out, copy_from, offset, 8, stride)) < 0)
                     return ret;
                 break;
+            }
 
             case C93_4X4_FROM_CURR:
                 copy_from = newpic->data[0];
             case C93_4X4_FROM_PREV:
-                for (j = 0; j < 8; j += 4) {
+                for (int j = 0; j < 8; j += 4) {
                     for (i = 0; i < 8; i += 4) {
                         int offset = bytestream2_get_le16(&gb);
                         int from_x = offset % WIDTH;
@@ -203,7 +204,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
             case C93_4X4_2COLOR:
             case C93_4X4_4COLOR:
             case C93_4X4_4COLOR_GRP:
-                for (j = 0; j < 8; j += 4) {
+                for (int j = 0; j < 8; j += 4) {
                     for (i = 0; i < 8; i += 4) {
                         if (block_type == C93_4X4_2COLOR) {
                             bytestream2_get_buffer(&gb, cols, 2);
@@ -226,7 +227,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
                 break;
 
             case C93_8X8_INTRA:
-                for (j = 0; j < 8; j++)
+                for (int j = 0; j < 8; j++)
                     bytestream2_get_buffer(&gb, out + j*stride, 8);
                 break;

More information about the ffmpeg-cvslog mailing list