har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

xxan: fix invalid memory access in xan_decode_frame_type0()

Browse Source 
The loop a few lines below the xan_unpack() call accesses up to
dec_size * 2 bytes into y_buffer, so dec_size must be limited to
buffer_size / 2.

CC:libav-stable@libav.org
This commit is contained in:
Anton Khirnov 2013-03-06 09:06:16 +01:00
parent 6c7d339afc
commit 8a49d2bcbe
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libavcodec/xxan.c
View File

@ -308,7 +308,7 @@ static int xan_decode_frame_type0(AVCodecContext *avctx)
int dec_size; int dec_size;
bytestream2_seek(&s->gb, 8 + corr_off, SEEK_SET); bytestream2_seek(&s->gb, 8 + corr_off, SEEK_SET);
dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size); dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size / 2);
if (dec_size < 0) if (dec_size < 0)
dec_size = 0; dec_size = 0;
for (i = 0; i < dec_size; i++) for (i = 0; i < dec_size; i++)