fraps: fix version 0/1 input data size check.

Fixes array overread. Fixes Ticket1371 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-06-01 23:21:03 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2012-06-01 23:22:54 +0200
commit: 0bae6661cd171abf55cfa4b8970b08c470d65dee (patch)
tree: bc2878a7b621d6243aa7145d519f20809a9cfde5
parent: f23a2418fb0ccc56fdae4dbf83a5994cc917c475 (diff)
download: ffmpeg-0bae6661cd171abf55cfa4b8970b08c470d65dee.tar.gz
1 files changed, 6 insertions, 6 deletions
diff --git a/libavcodec/fraps.c b/libavcodec/fraps.c
index 30c23d8f3c..1cf4062a21 100644
--- a/libavcodec/fraps.c
+++ b/libavcodec/fraps.c
@@ -161,17 +161,17 @@ static int decode_frame(AVCodecContext *avctx,
         unsigned needed_size = avctx->width*avctx->height*3;
         if (version == 0) needed_size /= 2;
         needed_size += header_size;
-        if (buf_size != needed_size && buf_size != header_size) {
-            av_log(avctx, AV_LOG_ERROR,
-                   "Invalid frame length %d (should be %d)\n",
-                   buf_size, needed_size);
-            return -1;
-        }
         /* bit 31 means same as previous pic */
         if (header & (1U<<31)) {
             *data_size = 0;
             return buf_size;
         }
+        if (buf_size != needed_size) {
+            av_log(avctx, AV_LOG_ERROR,
+                   "Invalid frame length %d (should be %d)\n",
+                   buf_size, needed_size);
+            return -1;
+        }
     } else {
         /* skip frame */
         if (buf_size == 8) {
author	Michael Niedermayer <michaelni@gmx.at>	2012-06-01 23:21:03 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2012-06-01 23:22:54 +0200
commit	0bae6661cd171abf55cfa4b8970b08c470d65dee (patch)
tree	bc2878a7b621d6243aa7145d519f20809a9cfde5
parent	f23a2418fb0ccc56fdae4dbf83a5994cc917c475 (diff)
download	ffmpeg-0bae6661cd171abf55cfa4b8970b08c470d65dee.tar.gz