[FFmpeg-devel] [PATCH 5/7] avcodec/c93: Fix segfault when using negative linesizes

Andreas Rheinhardt andreas.rheinhardt at outlook.com
Fri Sep 30 20:05:13 EEST 2022 

c93.c used an int for the stride and an unsigned for the current
linenumber. This does not work when using negative linesizes.
So use ptrdiff_t for stride and int for linenumber.

This fixes the cyberia-c93 FATE test when using negative linesizes.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>
---
 libavcodec/c93.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/libavcodec/c93.c b/libavcodec/c93.c
index 66b551a5d6..bfcbc7c150 100644
--- a/libavcodec/c93.c
+++ b/libavcodec/c93.c
@@ -130,7 +130,8 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
     AVFrame * const oldpic = c93->pictures[c93->currentpic^1];
     GetByteContext gb;
     uint8_t *out;
-    int stride, ret, i, x, y, b, bt = 0;
+    int ret, i, x, y, b, bt = 0;
+    ptrdiff_t stride;
 
     if ((ret = ff_set_dimensions(avctx, WIDTH, HEIGHT)) < 0)
         return ret;
@@ -156,7 +157,6 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
         out = newpic->data[0] + y * stride;
         for (x = 0; x < WIDTH; x += 8) {
             uint8_t *copy_from = oldpic->data[0];
-            unsigned int offset, j;
             uint8_t cols[4], grps[4];
             C93BlockType block_type;
 
@@ -165,16 +165,17 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
 
             block_type= bt & 0x0F;
             switch (block_type) {
-            case C93_8X8_FROM_PREV:
-                offset = bytestream2_get_le16(&gb);
+            case C93_8X8_FROM_PREV: {
+                int offset = bytestream2_get_le16(&gb);
                 if ((ret = copy_block(avctx, out, copy_from, offset, 8, stride)) < 0)
                     return ret;
                 break;
+            }
 
             case C93_4X4_FROM_CURR:
                 copy_from = newpic->data[0];
             case C93_4X4_FROM_PREV:
-                for (j = 0; j < 8; j += 4) {
+                for (int j = 0; j < 8; j += 4) {
                     for (i = 0; i < 8; i += 4) {
                         int offset = bytestream2_get_le16(&gb);
                         int from_x = offset % WIDTH;
@@ -203,7 +204,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
             case C93_4X4_2COLOR:
             case C93_4X4_4COLOR:
             case C93_4X4_4COLOR_GRP:
-                for (j = 0; j < 8; j += 4) {
+                for (int j = 0; j < 8; j += 4) {
                     for (i = 0; i < 8; i += 4) {
                         if (block_type == C93_4X4_2COLOR) {
                             bytestream2_get_buffer(&gb, cols, 2);
@@ -226,7 +227,7 @@ static int decode_frame(AVCodecContext *avctx, AVFrame *rframe,
                 break;
 
             case C93_8X8_INTRA:
-                for (j = 0; j < 8; j++)
+                for (int j = 0; j < 8; j++)
                     bytestream2_get_buffer(&gb, out + j*stride, 8);
                 break;
 
-- 
2.34.1

More information about the ffmpeg-devel mailing list