avcodec/utvideodec: Fix bytes left check in decode_frame()

Fixes: out of array read Fixes: poc-2017.avi Found-by: GwanYeong Kim <gy741.kim@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 118e1b0b3370dd1c0da442901b486689efd1654b) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2018-02-02 21:44:57 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2018-07-08 13:07:06 +0200
commit: 22aa37c0fedf14531783189a197542a055959b6c (patch)
tree: 6701afebb69d545f0febc30111d55c6c488a2b8f
parent: 7cc7346dfdefb91c99b6dea9222a2cebc53c8a04 (diff)
download: ffmpeg-22aa37c0fedf14531783189a197542a055959b6c.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c
index 650c0ec67d..a52082fb1b 100644
--- a/libavcodec/utvideodec.c
+++ b/libavcodec/utvideodec.c
@@ -534,7 +534,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             for (j = 0; j < c->slices; j++) {
                 slice_end   = bytestream2_get_le32u(&gb);
                 if (slice_end < 0 || slice_end < slice_start ||
-                    bytestream2_get_bytes_left(&gb) < slice_end) {
+                    bytestream2_get_bytes_left(&gb) < slice_end + 1024LL) {
                     av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n");
                     return AVERROR_INVALIDDATA;
                 }
author	Michael Niedermayer <michael@niedermayer.cc>	2018-02-02 21:44:57 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2018-07-08 13:07:06 +0200
commit	22aa37c0fedf14531783189a197542a055959b6c (patch)
tree	6701afebb69d545f0febc30111d55c6c488a2b8f
parent	7cc7346dfdefb91c99b6dea9222a2cebc53c8a04 (diff)
download	ffmpeg-22aa37c0fedf14531783189a197542a055959b6c.tar.gz