mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
kgv1dec: Increase offsets array size so it is large enough.
Fixes CVE-2011-3945
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 807a045ab7
)
Signed-off-by: Alex Converse <alex.converse@gmail.com>
This commit is contained in:
parent
386741f887
commit
a02e8df973
@ -39,7 +39,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
|
||||
const uint8_t *buf = avpkt->data;
|
||||
const uint8_t *buf_end = buf + avpkt->size;
|
||||
KgvContext * const c = avctx->priv_data;
|
||||
int offsets[7];
|
||||
int offsets[8];
|
||||
uint16_t *out, *prev;
|
||||
int outcnt = 0, maxcnt;
|
||||
int w, h, i;
|
||||
@ -69,7 +69,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
|
||||
return -1;
|
||||
c->prev = prev;
|
||||
|
||||
for (i = 0; i < 7; i++)
|
||||
for (i = 0; i < 8; i++)
|
||||
offsets[i] = -1;
|
||||
|
||||
while (outcnt < maxcnt && buf_end - 2 > buf) {
|
||||
|
Loading…
Reference in New Issue
Block a user