diff options
| author | Reinhard Tartler <siretart@tauware.de> | 2013-05-07 07:24:16 +0200 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2013-05-09 11:20:11 +0200 |
| commit | 7e6625a9afbe247e5b5da1f1bc4071cb8ae83192 (patch) | |
| tree | 1c7b14d0c39951523ef607e6ae4c21d589b0ec7d | |
| parent | f13f6f82c63f5b8fc3235c750a69c6ba8ac4cae1 (diff) | |
| download | ffmpeg-7e6625a9afbe247e5b5da1f1bc4071cb8ae83192.tar.gz | |
xxan: fix invalid memory access in xan_decode_frame_type0()
The loop a few lines below the xan_unpack() call accesses up to
dec_size * 2 bytes into y_buffer, so dec_size must be limited to
buffer_size / 2.
CC:libav-stable@libav.org
(cherry picked from commit 8a49d2bcbe7573bb4b765728b2578fac0d19763f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 62a657de168cf501acb23d48cc1aa00793dc83f3)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Conflicts:
libavcodec/xxan.c
| -rw-r--r-- | libavcodec/xxan.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index daaba6389a..12f7d3ada1 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -298,7 +298,7 @@ static int xan_decode_frame_type0(AVCodecContext *avctx, AVPacket *avpkt) corr_end = avpkt->size; if (chroma_off > corr_off) corr_end = chroma_off; - dec_size = xan_unpack(s->scratch_buffer, s->buffer_size, + dec_size = xan_unpack(s->scratch_buffer, s->buffer_size / 2, avpkt->data + 8 + corr_off, corr_end - corr_off); if (dec_size < 0) |