From 9a53707e86eb066e1c77460215c716f7962c71e7 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Wed, 26 Nov 2014 17:00:17 +0100
Subject: avcodec/pngdec: Fix paeth prediction with small images

Fixes out of array read
Fixes: asan_heap-oob_20b0a06_1962_cov_1907976991_delete_node_small.png
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/pngdec.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'libavcodec/pngdec.c')

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index f80a3fe9d7..35dcd76feb 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -267,8 +267,10 @@ static void png_filter_row(PNGDSPContext *dsp, uint8_t *dst, int filter_type,
             /* would write off the end of the array if we let it process
              * the last pixel with bpp=3 */
             int w = bpp == 4 ? size : size - 3;
-            dsp->add_paeth_prediction(dst + i, src + i, last + i, w - i, bpp);
-            i = w;
+            if (w > i) {
+                dsp->add_paeth_prediction(dst + i, src + i, last + i, w - i, bpp);
+                i = w;
+            }
         }
         ff_add_png_paeth_prediction(dst + i, src + i, last + i, size - i, bpp);
         break;
-- 
cgit v1.2.3