From 2224159c787ed19a3cd2e061bc00af125c9c2cef Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 14 Dec 2013 17:55:25 +0100
Subject: avcodec/vc1: fix DIFF2/NORM2 with width<=16

Fixes read of uninitialized memory
Fixes msan_uninit-mem_7f785da000e8_585_480i30__codec_WVC1__mode_2__framerate_29.970__type_2__preproc_17.wmv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/vc1.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'libavcodec/vc1.c')

diff --git a/libavcodec/vc1.c b/libavcodec/vc1.c
index f20b946be6..6557724954 100644
--- a/libavcodec/vc1.c
+++ b/libavcodec/vc1.c
@@ -122,12 +122,16 @@ static int bitplane_decoding(uint8_t* data, int *raw_flag, VC1Context *v)
     case IMODE_NORM2:
         if ((height * width) & 1) {
             *planep++ = get_bits1(gb);
-            offset    = 1;
+            y = offset = 1;
+            if (offset == width) {
+                offset = 0;
+                planep += stride - width;
+            }
         }
         else
-            offset = 0;
+            y = offset = 0;
         // decode bitplane as one long line
-        for (y = offset; y < height * width; y += 2) {
+        for (; y < height * width; y += 2) {
             code = get_vlc2(gb, ff_vc1_norm2_vlc.table, VC1_NORM2_VLC_BITS, 1);
             *planep++ = code & 1;
             offset++;
-- 
cgit v1.2.3