virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-08 13:22:53 +02:00
Code Issues Releases Activity

aasc: fix out of array write

Browse Source 
Closes #1619.

Signed-off-by: Paul B Mahol <onemda@gmail.com>
This commit is contained in:
Paul B Mahol 2012-08-08 14:10:06 +00:00
parent 4ec03d1386
commit 8a57ca5c6a
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libavcodec/aasc.c
View File

@ -66,7 +66,7 @@ static int aasc_decode_frame(AVCodecContext *avctx,
const uint8_t *buf = avpkt->data; const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size; int buf_size = avpkt->size;
AascContext *s = avctx->priv_data; AascContext *s = avctx->priv_data;
int compr, i, stride; int compr, i, stride, psize;
s->frame.reference = 3; s->frame.reference = 3;
s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
@ -78,6 +78,7 @@ static int aasc_decode_frame(AVCodecContext *avctx,
compr = AV_RL32(buf); compr = AV_RL32(buf);
buf += 4; buf += 4;
buf_size -= 4; buf_size -= 4;
psize = avctx->bits_per_coded_sample / 8;
switch (avctx->codec_tag) { switch (avctx->codec_tag) {
case MKTAG('A', 'A', 'S', '4'): case MKTAG('A', 'A', 'S', '4'):
bytestream2_init(&s->gb, buf - 4, buf_size + 4); bytestream2_init(&s->gb, buf - 4, buf_size + 4);
@ -86,13 +87,13 @@ static int aasc_decode_frame(AVCodecContext *avctx,
case MKTAG('A', 'A', 'S', 'C'): case MKTAG('A', 'A', 'S', 'C'):
switch(compr){ switch(compr){
case 0: case 0:
stride = (avctx->width * 3 + 3) & ~3; stride = (avctx->width * psize + psize) & ~psize;
for(i = avctx->height - 1; i >= 0; i--){ for(i = avctx->height - 1; i >= 0; i--){
if(avctx->width*3 > buf_size){ if(avctx->width * psize > buf_size){
av_log(avctx, AV_LOG_ERROR, "Next line is beyond buffer bounds\n"); av_log(avctx, AV_LOG_ERROR, "Next line is beyond buffer bounds\n");
break; break;
} }
memcpy(s->frame.data[0] + i*s->frame.linesize[0], buf, avctx->width*3); memcpy(s->frame.data[0] + i*s->frame.linesize[0], buf, avctx->width * psize);
buf += stride; buf += stride;
buf_size -= stride; buf_size -= stride;
} }