xface: Fix encoder crashes due to too small on-stack array.

Also add a FATE test.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>

2 files changed, 8 insertions, 4 deletions

diff --git a/libavcodec/xface.h b/libavcodec/xface.h
index cd59ba084a..6fbe908b67 100644
--- a/libavcodec/xface.h
+++ b/libavcodec/xface.h
@@ -40,11 +40,12 @@
 
 /*
  * Image is encoded as a big integer, using characters from '~' to
- * '!', for a total of 92 symbols. In order to express 48x48=2304
- * bits, we need a total of 354 digits, as given by:
- * ceil(lg_92(2^2304)) = 354
+ * '!', for a total of 94 symbols. In order to express
+ * 48x48*2=8*XFACE_MAX_WORDS=4608
+ * bits, we need a total of 704 digits, as given by:
+ * ceil(lg_94(2^4608)) = 704
  */
-#define XFACE_MAX_DIGITS 354
+#define XFACE_MAX_DIGITS 704
 
 #define XFACE_BITSPERWORD 8
 #define XFACE_WORDCARRY (1 << XFACE_BITSPERWORD)
diff --git a/libavcodec/xfaceenc.c b/libavcodec/xfaceenc.c
index e213c9d70a..0ade302c46 100644
--- a/libavcodec/xfaceenc.c
+++ b/libavcodec/xfaceenc.c
@@ -27,6 +27,7 @@
 #include "xface.h"
 #include "avcodec.h"
 #include "internal.h"
+#include "libavutil/avassert.h"
 
 typedef struct XFaceContext {
     AVClass *class;
@@ -196,9 +197,11 @@ static int xface_encode_frame(AVCodecContext *avctx, AVPacket *pkt,
 
     /* write the inverted big integer in b to intbuf */
     i = 0;
+    av_assert0(b.nb_words < XFACE_MAX_WORDS);
     while (b.nb_words) {
         uint8_t r;
         ff_big_div(&b, XFACE_PRINTS, &r);
+        av_assert0(i < sizeof(intbuf));
         intbuf[i++] = r + XFACE_FIRST_PRINT;
     }