xface: Fix encoder crashes due to too small on-stack array.

Also add a FATE test. Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>
author: Reimar Döffinger <Reimar.Doeffinger@gmx.de> 2014-11-22 23:12:51 +0100
committer: Reimar Döffinger <Reimar.Doeffinger@gmx.de> 2014-11-23 06:51:18 +0100
commit: 6369a7b742bd64e7ded377fe79a5d723379ce08d (patch)
tree: b499b386e60267de3a4774b86f6888fb878d1eef /libavcodec/xfaceenc.c
parent: d0682b5eb0d9b6d2c1bc8d03e7ab87c29bb08abc (diff)
download: ffmpeg-6369a7b742bd64e7ded377fe79a5d723379ce08d.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/libavcodec/xfaceenc.c b/libavcodec/xfaceenc.c
index e213c9d70a..0ade302c46 100644
--- a/libavcodec/xfaceenc.c
+++ b/libavcodec/xfaceenc.c
@@ -27,6 +27,7 @@
 #include "xface.h"
 #include "avcodec.h"
 #include "internal.h"
+#include "libavutil/avassert.h"
 
 typedef struct XFaceContext {
     AVClass *class;
@@ -196,9 +197,11 @@ static int xface_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
 
     /* write the inverted big integer in b to intbuf */
     i = 0;
+    av_assert0(b.nb_words < XFACE_MAX_WORDS);
     while (b.nb_words) {
         uint8_t r;
         ff_big_div(&b, XFACE_PRINTS, &r);
+        av_assert0(i < sizeof(intbuf));
         intbuf[i++] = r + XFACE_FIRST_PRINT;
     }
author	Reimar Döffinger <Reimar.Doeffinger@gmx.de>	2014-11-22 23:12:51 +0100
committer	Reimar Döffinger <Reimar.Doeffinger@gmx.de>	2014-11-23 06:51:18 +0100
commit	6369a7b742bd64e7ded377fe79a5d723379ce08d (patch)
tree	b499b386e60267de3a4774b86f6888fb878d1eef /libavcodec/xfaceenc.c
parent	d0682b5eb0d9b6d2c1bc8d03e7ab87c29bb08abc (diff)
download	ffmpeg-6369a7b742bd64e7ded377fe79a5d723379ce08d.tar.gz