avcodec/utvideodec: Fix bytes left check in decode_frame()

Fixes: out of array read Fixes: poc-2017.avi Found-by: GwanYeong Kim <gy741.kim@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 118e1b0b3370dd1c0da442901b486689efd1654b) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2018-02-02 21:44:57 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2018-04-13 00:35:15 +0200
commit: 0322f781777d4413bd57815ee9b5a7d6a0cfe716 (patch)
tree: 616478139a2fab057ec00d7166298b57c0640a89
parent: 4d4656e8cd094188ec2ada7f5bd6dbba14b52dd9 (diff)
download: ffmpeg-0322f781777d4413bd57815ee9b5a7d6a0cfe716.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 7c65d779c3..fda5de0732 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -638,7 +638,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             for (j = 0; j < c->slices; j++) {
                 slice_end   = bytestream2_get_le32u(&gb);
                 if (slice_end < 0 || slice_end < slice_start ||
-                    bytestream2_get_bytes_left(&gb) < slice_end) {
+                    bytestream2_get_bytes_left(&gb) < slice_end + 1024LL) {
                     av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n");
                     return AVERROR_INVALIDDATA;
                 }
author	Michael Niedermayer <michael@niedermayer.cc>	2018-02-02 21:44:57 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2018-04-13 00:35:15 +0200
commit	0322f781777d4413bd57815ee9b5a7d6a0cfe716 (patch)
tree	616478139a2fab057ec00d7166298b57c0640a89
parent	4d4656e8cd094188ec2ada7f5bd6dbba14b52dd9 (diff)
download	ffmpeg-0322f781777d4413bd57815ee9b5a7d6a0cfe716.tar.gz