diff options
author | Paul B Mahol <onemda@gmail.com> | 2012-08-08 14:10:06 +0000 |
---|---|---|
committer | Paul B Mahol <onemda@gmail.com> | 2012-08-09 00:02:05 +0000 |
commit | 8a57ca5c6a1c0ad28afa7ea6f824981e6761cce1 (patch) | |
tree | 852dd869f8c14c046c90108af94df4a21ae68396 | |
parent | 4ec03d138622b77887974a254861a425a57e02c3 (diff) | |
download | ffmpeg-8a57ca5c6a1c0ad28afa7ea6f824981e6761cce1.tar.gz |
aasc: fix out of array write
Closes #1619.
Signed-off-by: Paul B Mahol <onemda@gmail.com>
-rw-r--r-- | libavcodec/aasc.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c index bdb948ea7c..f34a722f13 100644 --- a/libavcodec/aasc.c +++ b/libavcodec/aasc.c @@ -66,7 +66,7 @@ static int aasc_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; AascContext *s = avctx->priv_data; - int compr, i, stride; + int compr, i, stride, psize; s->frame.reference = 3; s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE; @@ -78,6 +78,7 @@ static int aasc_decode_frame(AVCodecContext *avctx, compr = AV_RL32(buf); buf += 4; buf_size -= 4; + psize = avctx->bits_per_coded_sample / 8; switch (avctx->codec_tag) { case MKTAG('A', 'A', 'S', '4'): bytestream2_init(&s->gb, buf - 4, buf_size + 4); @@ -86,13 +87,13 @@ static int aasc_decode_frame(AVCodecContext *avctx, case MKTAG('A', 'A', 'S', 'C'): switch(compr){ case 0: - stride = (avctx->width * 3 + 3) & ~3; + stride = (avctx->width * psize + psize) & ~psize; for(i = avctx->height - 1; i >= 0; i--){ - if(avctx->width*3 > buf_size){ + if(avctx->width * psize > buf_size){ av_log(avctx, AV_LOG_ERROR, "Next line is beyond buffer bounds\n"); break; } - memcpy(s->frame.data[0] + i*s->frame.linesize[0], buf, avctx->width*3); + memcpy(s->frame.data[0] + i*s->frame.linesize[0], buf, avctx->width * psize); buf += stride; buf_size -= stride; } |