From 8a49d2bcbe7573bb4b765728b2578fac0d19763f Mon Sep 17 00:00:00 2001 From: Anton Khirnov Date: Wed, 6 Mar 2013 09:06:16 +0100 Subject: [PATCH] xxan: fix invalid memory access in xan_decode_frame_type0() The loop a few lines below the xan_unpack() call accesses up to dec_size * 2 bytes into y_buffer, so dec_size must be limited to buffer_size / 2. CC:libav-stable@libav.org --- libavcodec/xxan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 47ab54a7f9..2bc9ff697b 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -308,7 +308,7 @@ static int xan_decode_frame_type0(AVCodecContext *avctx) int dec_size; bytestream2_seek(&s->gb, 8 + corr_off, SEEK_SET); - dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size); + dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size / 2); if (dec_size < 0) dec_size = 0; for (i = 0; i < dec_size; i++)