diff options
author | Paul B Mahol <onemda@gmail.com> | 2012-08-08 14:10:06 +0000 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2012-09-15 00:21:58 +0200 |
commit | 99dbda30085c04236332ce0cca9f9bfd241ac4cd (patch) | |
tree | f7c5ce8061bbabd94c61dca5e9db7aa8776d1a30 | |
parent | d721cb009d73662f35c629bdc678e25786e79301 (diff) | |
download | ffmpeg-99dbda30085c04236332ce0cca9f9bfd241ac4cd.tar.gz |
aasc: fix out of array write
Closes #1619.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
(cherry picked from commit 8a57ca5c6a1c0ad28afa7ea6f824981e6761cce1)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavcodec/aasc.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c index db33eff5eb..a7944c2767 100644 --- a/libavcodec/aasc.c +++ b/libavcodec/aasc.c @@ -66,7 +66,7 @@ static int aasc_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; AascContext *s = avctx->priv_data; - int compr, i, stride; + int compr, i, stride, psize; s->frame.reference = 3; s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; @@ -78,6 +78,7 @@ static int aasc_decode_frame(AVCodecContext *avctx, compr = AV_RL32(buf); buf += 4; buf_size -= 4; + psize = avctx->bits_per_coded_sample / 8; switch (avctx->codec_tag) { case MKTAG('A', 'A', 'S', '4'): bytestream2_init(&s->gb, buf - 4, buf_size + 4); @@ -86,13 +87,13 @@ static int aasc_decode_frame(AVCodecContext *avctx, case MKTAG('A', 'A', 'S', 'C'): switch(compr){ case 0: - stride = (avctx->width * 3 + 3) & ~3; + stride = (avctx->width * psize + psize) & ~psize; for(i = avctx->height - 1; i >= 0; i--){ - if(avctx->width*3 > buf_size){ + if(avctx->width * psize > buf_size){ av_log(avctx, AV_LOG_ERROR, "Next line is beyond buffer bounds\n"); break; } - memcpy(s->frame.data[0] + i*s->frame.linesize[0], buf, avctx->width*3); + memcpy(s->frame.data[0] + i*s->frame.linesize[0], buf, avctx->width * psize); buf += stride; buf_size -= stride; } |