diff options
| author | Reimar Döffinger <[email protected]> | 2012-01-29 18:16:23 +0100 |
|---|---|---|
| committer | Reimar Döffinger <[email protected]> | 2012-01-29 21:52:55 +0100 |
| commit | f9eb6229447952c22cd3c3ba232bb3d1023ed5c8 (patch) | |
| tree | 12a068b6664ee3c7c12918e36a9ba550677c5d63 | |
| parent | cd3ced1bb9e1ca72b0bb328f3b6e7e2bccfa2938 (diff) | |
Fix offset validity checks.
Offsets are relative to the end of the header, not the
start of the buffer, thus the buffer size needs to be subtracted.
Signed-off-by: Reimar Döffinger <[email protected]>
| -rw-r--r-- | libavcodec/fraps.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c index bbabfd9084..a7d5a73e41 100644 --- a/libavcodec/fraps.c +++ b/libavcodec/fraps.c @@ -186,12 +186,12 @@ static int decode_frame(AVCodecContext *avctx, } for(i = 0; i < planes; i++) { offs[i] = AV_RL32(buf + 4 + i * 4); - if(offs[i] >= buf_size || (i && offs[i] <= offs[i - 1] + 1024)) { + if(offs[i] >= buf_size - header_size || (i && offs[i] <= offs[i - 1] + 1024)) { av_log(avctx, AV_LOG_ERROR, "Fraps: plane %i offset is out of bounds\n", i); return -1; } } - offs[planes] = buf_size; + offs[planes] = buf_size - header_size; for(i = 0; i < planes; i++) { av_fast_padded_malloc(&s->tmpbuf, &s->tmpbuf_size, offs[i + 1] - offs[i] - 1024); if (!s->tmpbuf) |