From 644cae168b61bef7b24f19cf9c20098b6119a8b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20B=C5=93sch?= <u@pkh.me>
Date: Fri, 21 Feb 2014 14:16:00 +0100
Subject: [PATCH] avcodec/pngenc: fix invalid read in sub filter.

First pixel was computed based on invalid address read, and then
corrected by the following memcpy. After the commit, it's not computed
anymore, and memcpy fills the appropriate area.

Fixes Ticket #3387
---
 libavcodec/pngenc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/pngenc.c b/libavcodec/pngenc.c
index bf61be1..7fb511a 100644
--- a/libavcodec/pngenc.c
+++ b/libavcodec/pngenc.c
@@ -123,7 +123,7 @@ static void png_filter_row(DSPContext *dsp, uint8_t *dst, int filter_type,
         memcpy(dst, src, size);
         break;
     case PNG_FILTER_VALUE_SUB:
-        dsp->diff_bytes(dst, src, src-bpp, size);
+        dsp->diff_bytes(dst + bpp, src + bpp, src, size - bpp);
         memcpy(dst, src, bpp);
         break;
     case PNG_FILTER_VALUE_UP:
-- 
1.9.0