diff options
author | Paul B Mahol <onemda@gmail.com> | 2023-02-15 13:54:11 +0100 |
---|---|---|
committer | Paul B Mahol <onemda@gmail.com> | 2023-02-15 14:16:48 +0100 |
commit | cb350367660032e2e47fa379a3f119ddf60eb029 (patch) | |
tree | 7d12f1f2b1a8cb0e2891e5b92b4b39a9f3af87c6 | |
parent | 4113445e9d4d7600c676ee0e42f1dc7968de6e0f (diff) | |
download | ffmpeg-cb350367660032e2e47fa379a3f119ddf60eb029.tar.gz |
avcodec/rka: fix array overflow
-rw-r--r-- | libavcodec/rka.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/libavcodec/rka.c b/libavcodec/rka.c index 7b3ba771a6..8719325a9e 100644 --- a/libavcodec/rka.c +++ b/libavcodec/rka.c @@ -77,8 +77,8 @@ typedef struct ChContext { Model64 mdl64[4][11]; - int32_t buf0[12001]; - int32_t buf1[12001]; + int32_t buf0[131072+2560]; + int32_t buf1[131072+2560]; } ChContext; typedef struct RKAContext { @@ -701,6 +701,9 @@ static int decode_filter(RKAContext *s, ChContext *ctx, ACoder *ac, int off, uns for (int y = 0; y < FFMIN(split, size - x); y++, off++) { int midx, shift = idx, *src, sum = 16; + if (off >= FF_ARRAY_ELEMS(ctx->buf0)) + return -1; + midx = FFABS(last_val) >> shift; if (midx >= 15) { mdl64 = &ctx->mdl64[3][idx]; |