diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2013-05-22 17:39:22 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2014-01-16 00:42:23 +0100 |
commit | dee327b0e70d7051ed0d349974e88bd1ec8a246c (patch) | |
tree | 1a902154d5c5eb64b6b36f5bc6b1e4857c9d7151 | |
parent | e438fd3be905cefdf75d9cc5a632ded4dc043be5 (diff) | |
download | ffmpeg-dee327b0e70d7051ed0d349974e88bd1ec8a246c.tar.gz |
shorten: fix "off by padding" bug
Fixes array overread
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ad22767cb61cdc75541b21154d65fd1ad6351025)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavcodec/shorten.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c index 5765fa41b0..af17d9daf5 100644 --- a/libavcodec/shorten.c +++ b/libavcodec/shorten.c @@ -437,7 +437,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data, buf_size = FFMIN(buf_size, s->max_framesize - s->bitstream_size); input_buf_size = buf_size; - if (s->bitstream_index + s->bitstream_size + buf_size > + if (s->bitstream_index + s->bitstream_size + buf_size + FF_INPUT_BUFFER_PADDING_SIZE > s->allocated_bitstream_size) { memmove(s->bitstream, &s->bitstream[s->bitstream_index], s->bitstream_size); |