From c6a43a72444adafeeb859f2247b9ac03f20b6672 Mon Sep 17 00:00:00 2001
From: Stefano Sabatini <stefasab@gmail.com>
Date: Wed, 17 Apr 2013 22:11:21 +0200
Subject: lavfi/mptestsrc: fix invalid access in case of negative linesize

In particular, fix crash with:
ffplay -f lavfi mptestsrc,vflip
---
 libavfilter/vsrc_mptestsrc.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/libavfilter/vsrc_mptestsrc.c b/libavfilter/vsrc_mptestsrc.c
index 867cd506be..e931c76842 100644
--- a/libavfilter/vsrc_mptestsrc.c
+++ b/libavfilter/vsrc_mptestsrc.c
@@ -301,9 +301,10 @@ static int request_frame(AVFilterLink *outlink)
 {
     MPTestContext *test = outlink->src->priv;
     AVFrame *picref;
-    int w = WIDTH, h = HEIGHT, ch = h>>test->vsub;
+    int w = WIDTH, h = HEIGHT, cw = w>>test->hsub, ch = h>>test->vsub;
     unsigned int frame = test->frame_nb;
     enum test_type tt = test->test;
+    int i;
 
     if (test->max_pts >= 0 && test->pts > test->max_pts)
         return AVERROR_EOF;
@@ -313,9 +314,12 @@ static int request_frame(AVFilterLink *outlink)
     picref->pts = test->pts++;
 
     // clean image
-    memset(picref->data[0], 0,   picref->linesize[0] * h);
-    memset(picref->data[1], 128, picref->linesize[1] * ch);
-    memset(picref->data[2], 128, picref->linesize[2] * ch);
+    for (i = 0; i < h; i++)
+        memset(picref->data[0] + i*picref->linesize[0], 0, w);
+    for (i = 0; i < ch; i++) {
+        memset(picref->data[1] + i*picref->linesize[1], 128, cw);
+        memset(picref->data[2] + i*picref->linesize[2], 128, cw);
+    }
 
     if (tt == TEST_ALL && frame%30) /* draw a black frame at the beginning of each test */
         tt = (frame/30)%(TEST_NB-1);
-- 
cgit v1.2.3