[libav-stable] xxan: fix invalid memory access in xan_decode_frame_type0()

Anton Khirnov git at libav.org
Fri Mar 8 08:15:14 CET 2013


Module: libav
Branch: master
Commit: 8a49d2bcbe7573bb4b765728b2578fac0d19763f

Author:    Anton Khirnov <anton at khirnov.net>
Committer: Anton Khirnov <anton at khirnov.net>
Date:      Wed Mar  6 09:06:16 2013 +0100

xxan: fix invalid memory access in xan_decode_frame_type0()

The loop a few lines below the xan_unpack() call accesses up to
dec_size * 2 bytes into y_buffer, so dec_size must be limited to
buffer_size / 2.

CC:libav-stable at libav.org

---

 libavcodec/xxan.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c
index 47ab54a..2bc9ff6 100644
--- a/libavcodec/xxan.c
+++ b/libavcodec/xxan.c
@@ -308,7 +308,7 @@ static int xan_decode_frame_type0(AVCodecContext *avctx)
         int dec_size;
 
         bytestream2_seek(&s->gb, 8 + corr_off, SEEK_SET);
-        dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size);
+        dec_size = xan_unpack(s, s->scratch_buffer, s->buffer_size / 2);
         if (dec_size < 0)
             dec_size = 0;
         for (i = 0; i < dec_size; i++)



More information about the libav-stable mailing list