[FFmpeg-cvslog] aasc: fix out of array write

Paul B Mahol git at videolan.org
Thu Aug 9 02:02:25 CEST 2012


ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Wed Aug  8 14:10:06 2012 +0000| [8a57ca5c6a1c0ad28afa7ea6f824981e6761cce1] | committer: Paul B Mahol

aasc: fix out of array write

Closes #1619.

Signed-off-by: Paul B Mahol <onemda at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8a57ca5c6a1c0ad28afa7ea6f824981e6761cce1
---

 libavcodec/aasc.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c
index bdb948e..f34a722 100644
--- a/libavcodec/aasc.c
+++ b/libavcodec/aasc.c
@@ -66,7 +66,7 @@ static int aasc_decode_frame(AVCodecContext *avctx,
     const uint8_t *buf = avpkt->data;
     int buf_size = avpkt->size;
     AascContext *s = avctx->priv_data;
-    int compr, i, stride;
+    int compr, i, stride, psize;
 
     s->frame.reference = 3;
     s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
@@ -78,6 +78,7 @@ static int aasc_decode_frame(AVCodecContext *avctx,
     compr = AV_RL32(buf);
     buf += 4;
     buf_size -= 4;
+    psize = avctx->bits_per_coded_sample / 8;
     switch (avctx->codec_tag) {
     case MKTAG('A', 'A', 'S', '4'):
         bytestream2_init(&s->gb, buf - 4, buf_size + 4);
@@ -86,13 +87,13 @@ static int aasc_decode_frame(AVCodecContext *avctx,
     case MKTAG('A', 'A', 'S', 'C'):
     switch(compr){
     case 0:
-        stride = (avctx->width * 3 + 3) & ~3;
+        stride = (avctx->width * psize + psize) & ~psize;
         for(i = avctx->height - 1; i >= 0; i--){
-            if(avctx->width*3 > buf_size){
+            if(avctx->width * psize > buf_size){
                 av_log(avctx, AV_LOG_ERROR, "Next line is beyond buffer bounds\n");
                 break;
             }
-            memcpy(s->frame.data[0] + i*s->frame.linesize[0], buf, avctx->width*3);
+            memcpy(s->frame.data[0] + i*s->frame.linesize[0], buf, avctx->width * psize);
             buf += stride;
             buf_size -= stride;
         }



More information about the ffmpeg-cvslog mailing list