[FFmpeg-cvslog] avfilter/vf_gradfun: Do not overread last line

[Michael Niedermayer]

ffmpeg | branch: release/5.1 | Michael Niedermayer <michael at niedermayer.cc> | Sun Dec 24 20:50:51 2023 +0100| [37a8ed60f15bce975279a362a3014e8b2d7db07b] | committer: Michael Niedermayer

avfilter/vf_gradfun: Do not overread last line

The code works in steps of 2 lines and lacks support for odd height
Implementing odd height support is better but for now this fixes the
out of array access

Fixes: out of array access
Fixes: tickets/10702/poc6ffmpe

Found-by: Zeng Yunxiang
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit e4d2666bdc3dbd177a81bbf428654a5f2fa3787a)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=37a8ed60f15bce975279a362a3014e8b2d7db07b
---

 libavfilter/vf_gradfun.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavfilter/vf_gradfun.c b/libavfilter/vf_gradfun.c
index 71a5f9c787..db30342d3f 100644
--- a/libavfilter/vf_gradfun.c
+++ b/libavfilter/vf_gradfun.c
@@ -92,7 +92,7 @@ static void filter(GradFunContext *ctx, uint8_t *dst, const uint8_t *src, int wi
     for (y = 0; y < r; y++)
         ctx->blur_line(dc, buf + y * bstride, buf + (y - 1) * bstride, src + 2 * y * src_linesize, src_linesize, width / 2);
     for (;;) {
-        if (y < height - r) {
+        if (y + 1 < height - r) {
             int mod = ((y + r) / 2) % r;
             uint16_t *buf0 = buf + mod * bstride;
             uint16_t *buf1 = buf + (mod ? mod - 1 : r - 1) * bstride;