[FFmpeg-cvslog] aasc: fix out of array write
Paul B Mahol
git at videolan.org
Thu Aug 9 02:02:25 CEST 2012
ffmpeg | branch: master | Paul B Mahol <onemda at gmail.com> | Wed Aug 8 14:10:06 2012 +0000| [8a57ca5c6a1c0ad28afa7ea6f824981e6761cce1] | committer: Paul B Mahol
aasc: fix out of array write
Closes #1619.
Signed-off-by: Paul B Mahol <onemda at gmail.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8a57ca5c6a1c0ad28afa7ea6f824981e6761cce1
---
libavcodec/aasc.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c
index bdb948e..f34a722 100644
--- a/libavcodec/aasc.c
+++ b/libavcodec/aasc.c
@@ -66,7 +66,7 @@ static int aasc_decode_frame(AVCodecContext *avctx,
const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size;
AascContext *s = avctx->priv_data;
- int compr, i, stride;
+ int compr, i, stride, psize;
s->frame.reference = 3;
s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
@@ -78,6 +78,7 @@ static int aasc_decode_frame(AVCodecContext *avctx,
compr = AV_RL32(buf);
buf += 4;
buf_size -= 4;
+ psize = avctx->bits_per_coded_sample / 8;
switch (avctx->codec_tag) {
case MKTAG('A', 'A', 'S', '4'):
bytestream2_init(&s->gb, buf - 4, buf_size + 4);
@@ -86,13 +87,13 @@ static int aasc_decode_frame(AVCodecContext *avctx,
case MKTAG('A', 'A', 'S', 'C'):
switch(compr){
case 0:
- stride = (avctx->width * 3 + 3) & ~3;
+ stride = (avctx->width * psize + psize) & ~psize;
for(i = avctx->height - 1; i >= 0; i--){
- if(avctx->width*3 > buf_size){
+ if(avctx->width * psize > buf_size){
av_log(avctx, AV_LOG_ERROR, "Next line is beyond buffer bounds\n");
break;
}
- memcpy(s->frame.data[0] + i*s->frame.linesize[0], buf, avctx->width*3);
+ memcpy(s->frame.data[0] + i*s->frame.linesize[0], buf, avctx->width * psize);
buf += stride;
buf_size -= stride;
}
More information about the ffmpeg-cvslog
mailing list