avcodec/cfhd: Use bytestream2 for peaks

This fixes out of array accesses
No testcase known

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

libavcodec/cfhd.c

@@ -79,7 +79,7 @@ static void init_peak_table_defaults(CFHDContext *s)
 {
     s->peak.level  = 0;
     s->peak.offset = 0;
-    s->peak.base   = NULL;
+    memset(&s->peak.base, 0, sizeof(s->peak.base));
 }
 
 static void init_frame_defaults(CFHDContext *s)
@@ -133,7 +133,7 @@ static inline void peak_table(int16_t *band, Peak *peak, int length)
     int i;
     for (i = 0; i < length; i++)
         if (abs(band[i]) > peak->level)
-            band[i] = *(peak->base++);
+            band[i] = bytestream2_get_le16(&peak->base);
 }
 
 static inline void process_alpha(int16_t *alpha, int width)
@@ -537,16 +537,16 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
         } else if (tag == -75) {
             s->peak.offset &= ~0xffff;
             s->peak.offset |= (data & 0xffff);
-            s->peak.base    = (int16_t *) gb.buffer;
+            s->peak.base    = gb;
             s->peak.level   = 0;
         } else if (tag == -76) {
             s->peak.offset &= 0xffff;
             s->peak.offset |= (data & 0xffffU)<<16;
-            s->peak.base    = (int16_t *) gb.buffer;
+            s->peak.base    = gb;
             s->peak.level   = 0;
         } else if (tag == -74 && s->peak.offset) {
             s->peak.level = data;
-            s->peak.base += s->peak.offset / 2 - 2;
+            bytestream2_seek(&s->peak.base, s->peak.offset - 4, SEEK_CUR);
         } else
             av_log(avctx, AV_LOG_DEBUG,  "Unknown tag %i data %x\n", tag, data);
 

libavcodec/cfhd.h

@@ -26,6 +26,7 @@
 #include "libavutil/avassert.h"
 
 #include "avcodec.h"
+#include "bytestream.h"
 #include "get_bits.h"
 #include "vlc.h"
 
@@ -71,7 +72,7 @@ typedef struct Plane {
 typedef struct Peak {
     int level;
     int offset;
-    const int16_t *base;
+    GetByteContext base;
 } Peak;
 
 typedef struct CFHDContext {