xxan: fix invalid memory access in xan_decode_frame_type0()

The loop a few lines below the xan_unpack() call accesses up to dec_size * 2 bytes into y_buffer, so dec_size must be limited to buffer_size / 2. CC:libav-stable@libav.org (cherry picked from commit 8a49d2bcbe7573bb4b765728b2578fac0d19763f) Signed-off-by: Reinhard Tartler <siretart@tauware.de> (cherry picked from commit 62a657de168cf501acb23d48cc1aa00793dc83f3) Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Anton Khirnov <anton@khirnov.net> 2013-03-06 09:06:16 +0100
committer: Reinhard Tartler <siretart@tauware.de> 2013-03-09 18:54:28 +0100
commit: e10af023b2579791d4de7a16d4958229dc62be03 (patch)
tree: 7ea2e397567f77ddad0bd2bd012634337100c212
parent: b527dd30e9461b57dff17afe6c8738c3f20d2cb7 (diff)
download: ffmpeg-e10af023b2579791d4de7a16d4958229dc62be03.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c
index 0a37d48f6b..59e1229802 100644
--- a/libavcodec/xxan.c
+++ b/libavcodec/xxan.c
@@ -296,7 +296,7 @@ static int xan_decode_frame_type0(AVCodecContext *avctx)
         if (chroma_off > corr_off)
             corr_end = chroma_off;
         bytestream2_seek(&s->gb, 8 + corr_off, SEEK_SET);
-        dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size);
+        dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size / 2);
         if (dec_size < 0)
             dec_size = 0;
         for (i = 0; i < dec_size; i++)
author	Anton Khirnov <anton@khirnov.net>	2013-03-06 09:06:16 +0100
committer	Reinhard Tartler <siretart@tauware.de>	2013-03-09 18:54:28 +0100
commit	e10af023b2579791d4de7a16d4958229dc62be03 (patch)
tree	7ea2e397567f77ddad0bd2bd012634337100c212
parent	b527dd30e9461b57dff17afe6c8738c3f20d2cb7 (diff)
download	ffmpeg-e10af023b2579791d4de7a16d4958229dc62be03.tar.gz