RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-03-02 10:41:16 +00:00
Code Issues Projects Releases Wiki Activity

xxan: fix invalid memory access in xan_decode_frame_type0()

Browse Source 
The loop a few lines below the xan_unpack() call accesses up to
dec_size * 2 bytes into y_buffer, so dec_size must be limited to
buffer_size / 2.

CC:libav-stable@libav.org
(cherry picked from commit 8a49d2bcbe)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
(cherry picked from commit 62a657de16)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>

Conflicts:
	libavcodec/xxan.c
This commit is contained in:
Reinhard Tartler 2013-05-07 07:24:16 +02:00
parent f13f6f82c6
commit 7e6625a9af
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libavcodec/xxan.c
View File

@ -298,7 +298,7 @@ static int xan_decode_frame_type0(AVCodecContext *avctx, AVPacket *avpkt)
corr_end = avpkt->size;
if (chroma_off > corr_off)
corr_end = chroma_off;
dec_size = xan_unpack(s->scratch_buffer, s->buffer_size,
dec_size = xan_unpack(s->scratch_buffer, s->buffer_size / 2,
avpkt->data + 8 + corr_off,
corr_end - corr_off);
if (dec_size < 0)