[FFmpeg-cvslog] Fix offset validity checks.
Reimar Döffinger
git at videolan.org
Sun Jan 29 21:53:29 CET 2012
ffmpeg | branch: master | Reimar Döffinger <Reimar.Doeffinger at gmx.de> | Sun Jan 29 18:16:23 2012 +0100| [f9eb6229447952c22cd3c3ba232bb3d1023ed5c8] | committer: Reimar Döffinger
Fix offset validity checks.
Offsets are relative to the end of the header, not the
start of the buffer, thus the buffer size needs to be subtracted.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger at gmx.de>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f9eb6229447952c22cd3c3ba232bb3d1023ed5c8
---
libavcodec/fraps.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c
index bbabfd9..a7d5a73 100644
--- a/libavcodec/fraps.c
+++ b/libavcodec/fraps.c
@@ -186,12 +186,12 @@ static int decode_frame(AVCodecContext *avctx,
}
for(i = 0; i < planes; i++) {
offs[i] = AV_RL32(buf + 4 + i * 4);
- if(offs[i] >= buf_size || (i && offs[i] <= offs[i - 1] + 1024)) {
+ if(offs[i] >= buf_size - header_size || (i && offs[i] <= offs[i - 1] + 1024)) {
av_log(avctx, AV_LOG_ERROR, "Fraps: plane %i offset is out of bounds\n", i);
return -1;
}
}
- offs[planes] = buf_size;
+ offs[planes] = buf_size - header_size;
for(i = 0; i < planes; i++) {
av_fast_padded_malloc(&s->tmpbuf, &s->tmpbuf_size, offs[i + 1] - offs[i] - 1024);
if (!s->tmpbuf)
More information about the ffmpeg-cvslog
mailing list