aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul B Mahol <onemda@gmail.com>2012-08-08 14:10:06 +0000
committerPaul B Mahol <onemda@gmail.com>2012-08-09 00:02:05 +0000
commit8a57ca5c6a1c0ad28afa7ea6f824981e6761cce1 (patch)
tree852dd869f8c14c046c90108af94df4a21ae68396
parent4ec03d138622b77887974a254861a425a57e02c3 (diff)
downloadffmpeg-8a57ca5c6a1c0ad28afa7ea6f824981e6761cce1.tar.gz
aasc: fix out of array write
Closes #1619. Signed-off-by: Paul B Mahol <onemda@gmail.com>
-rw-r--r--libavcodec/aasc.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/libavcodec/aasc.c b/libavcodec/aasc.c
index bdb948ea7c..f34a722f13 100644
--- a/libavcodec/aasc.c
+++ b/libavcodec/aasc.c
@@ -66,7 +66,7 @@ static int aasc_decode_frame(AVCodecContext *avctx,
const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size;
AascContext *s = avctx->priv_data;
- int compr, i, stride;
+ int compr, i, stride, psize;
s->frame.reference = 3;
s->frame.buffer_hints = FF_BUFFER_HINTS_VALID | FF_BUFFER_HINTS_PRESERVE | FF_BUFFER_HINTS_REUSABLE;
@@ -78,6 +78,7 @@ static int aasc_decode_frame(AVCodecContext *avctx,
compr = AV_RL32(buf);
buf += 4;
buf_size -= 4;
+ psize = avctx->bits_per_coded_sample / 8;
switch (avctx->codec_tag) {
case MKTAG('A', 'A', 'S', '4'):
bytestream2_init(&s->gb, buf - 4, buf_size + 4);
@@ -86,13 +87,13 @@ static int aasc_decode_frame(AVCodecContext *avctx,
case MKTAG('A', 'A', 'S', 'C'):
switch(compr){
case 0:
- stride = (avctx->width * 3 + 3) & ~3;
+ stride = (avctx->width * psize + psize) & ~psize;
for(i = avctx->height - 1; i >= 0; i--){
- if(avctx->width*3 > buf_size){
+ if(avctx->width * psize > buf_size){
av_log(avctx, AV_LOG_ERROR, "Next line is beyond buffer bounds\n");
break;
}
- memcpy(s->frame.data[0] + i*s->frame.linesize[0], buf, avctx->width*3);
+ memcpy(s->frame.data[0] + i*s->frame.linesize[0], buf, avctx->width * psize);
buf += stride;
buf_size -= stride;
}