From 84afc6b70d24fc0bf686e43138c96cf60a9445fe Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Tue, 30 Jun 2015 01:19:30 +0200
Subject: avcodec/mjpegdec: Fix small picture upscale

Fixes out of array access

Fixes: asan_heap-oob_1dd60fd_267_cov_2954683513_5baad44ca4702949724234e35c5bb341.jpg

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/mjpegdec.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'libavcodec')

diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 87c5862a49..8bf950db6a 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -2195,11 +2195,13 @@ the_end:
                     }
                 } else if (s->upscale_h[p] == 2) {
                     if (is16bit) {
-                        ((uint16_t*)line)[w - 1] =
-                        ((uint16_t*)line)[w - 2] = ((uint16_t*)line)[(w - 1) / 3];
+                        ((uint16_t*)line)[w - 1] = ((uint16_t*)line)[(w - 1) / 3];
+                        if (w > 1)
+                            ((uint16_t*)line)[w - 2] = ((uint16_t*)line)[w - 1];
                     } else {
-                        line[w - 1] =
-                        line[w - 2] = line[(w - 1) / 3];
+                        line[w - 1] = line[(w - 1) / 3];
+                        if (w > 1)
+                            line[w - 2] = line[w - 1];
                     }
                     for (index = w - 3; index > 0; index--) {
                         line[index] = (line[index / 3] + line[(index + 1) / 3] + line[(index + 2) / 3] + 1) / 3;
-- 
cgit v1.2.3