[FFmpeg-cvslog] xxan: fix invalid memory access in xan_decode_frame_type0()
Anton Khirnov
git at videolan.org
Tue Mar 12 16:03:30 CET 2013
ffmpeg | branch: master | Anton Khirnov <anton at khirnov.net> | Wed Mar 6 09:06:16 2013 +0100| [8a49d2bcbe7573bb4b765728b2578fac0d19763f] | committer: Anton Khirnov
xxan: fix invalid memory access in xan_decode_frame_type0()
The loop a few lines below the xan_unpack() call accesses up to
dec_size * 2 bytes into y_buffer, so dec_size must be limited to
buffer_size / 2.
CC:libav-stable at libav.org
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8a49d2bcbe7573bb4b765728b2578fac0d19763f
---
libavcodec/xxan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c
index 47ab54a..2bc9ff6 100644
--- a/libavcodec/xxan.c
+++ b/libavcodec/xxan.c
@@ -308,7 +308,7 @@ static int xan_decode_frame_type0(AVCodecContext *avctx)
int dec_size;
bytestream2_seek(&s->gb, 8 + corr_off, SEEK_SET);
- dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size);
+ dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size / 2);
if (dec_size < 0)
dec_size = 0;
for (i = 0; i < dec_size; i++)
More information about the ffmpeg-cvslog
mailing list