[FFmpeg-cvslog] xxan: fix invalid memory access in xan_decode_frame_type0()

Reinhard Tartler git at videolan.org
Sun Oct 6 19:06:08 CEST 2013


ffmpeg | branch: release/0.7 | Reinhard Tartler <siretart at tauware.de> | Tue May  7 07:24:16 2013 +0200| [7e6625a9afbe247e5b5da1f1bc4071cb8ae83192] | committer: Reinhard Tartler

xxan: fix invalid memory access in xan_decode_frame_type0()

The loop a few lines below the xan_unpack() call accesses up to
dec_size * 2 bytes into y_buffer, so dec_size must be limited to
buffer_size / 2.

CC:libav-stable at libav.org
(cherry picked from commit 8a49d2bcbe7573bb4b765728b2578fac0d19763f)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>
(cherry picked from commit 62a657de168cf501acb23d48cc1aa00793dc83f3)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

Conflicts:
	libavcodec/xxan.c

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7e6625a9afbe247e5b5da1f1bc4071cb8ae83192
---

 libavcodec/xxan.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c
index daaba63..12f7d3a 100644
--- a/libavcodec/xxan.c
+++ b/libavcodec/xxan.c
@@ -298,7 +298,7 @@ static int xan_decode_frame_type0(AVCodecContext *avctx, AVPacket *avpkt)
         corr_end = avpkt->size;
         if (chroma_off > corr_off)
             corr_end = chroma_off;
-        dec_size = xan_unpack(s->scratch_buffer, s->buffer_size,
+        dec_size = xan_unpack(s->scratch_buffer, s->buffer_size / 2,
                               avpkt->data + 8 + corr_off,
                               corr_end - corr_off);
         if (dec_size < 0)



More information about the ffmpeg-cvslog mailing list