wmalosslessdec: fix mclms_coeffs* array size

Fixes corruption of context Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org Bug-Id: CVE-2014-2098 Signed-off-by: Anton Khirnov <anton@khirnov.net> (cherry picked from commit 849b9d34c7ef70b370c53e7af3940f51cbc07d0f) Signed-off-by: Anton Khirnov <anton@khirnov.net>
author: Michael Niedermayer <michaelni@gmx.at> 2014-02-07 15:07:23 +0100
committer: Anton Khirnov <anton@khirnov.net> 2014-08-05 15:05:22 +0000
commit: 36d8914f1b94e4731d2fc67162902839c106e72e (patch)
tree: d85dc074f38583c45865f5a82c3cd460f52603b1
parent: 146b187113e3cc20c2a97c5f264da13e701ca247 (diff)
download: ffmpeg-36d8914f1b94e4731d2fc67162902839c106e72e.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c
index 747ac37dc0..8060d279b5 100644
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -127,8 +127,8 @@ typedef struct WmallDecodeCtx {
 
     int8_t  mclms_order;
     int8_t  mclms_scaling;
-    int16_t mclms_coeffs[128];
-    int16_t mclms_coeffs_cur[4];
+    int16_t mclms_coeffs[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS * 32];
+    int16_t mclms_coeffs_cur[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS];
     int16_t mclms_prevvalues[WMALL_MAX_CHANNELS * 2 * 32];
     int16_t mclms_updates[WMALL_MAX_CHANNELS * 2 * 32];
     int     mclms_recent;
author	Michael Niedermayer <michaelni@gmx.at>	2014-02-07 15:07:23 +0100
committer	Anton Khirnov <anton@khirnov.net>	2014-08-05 15:05:22 +0000
commit	36d8914f1b94e4731d2fc67162902839c106e72e (patch)
tree	d85dc074f38583c45865f5a82c3cd460f52603b1
parent	146b187113e3cc20c2a97c5f264da13e701ca247 (diff)
download	ffmpeg-36d8914f1b94e4731d2fc67162902839c106e72e.tar.gz