shorten: fix "off by padding" bug
Fixes array overread Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
parent
14ec9d2590
commit
ad22767cb6
@ -437,7 +437,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
|
|||||||
buf_size = FFMIN(buf_size, s->max_framesize - s->bitstream_size);
|
buf_size = FFMIN(buf_size, s->max_framesize - s->bitstream_size);
|
||||||
input_buf_size = buf_size;
|
input_buf_size = buf_size;
|
||||||
|
|
||||||
if (s->bitstream_index + s->bitstream_size + buf_size >
|
if (s->bitstream_index + s->bitstream_size + buf_size + FF_INPUT_BUFFER_PADDING_SIZE >
|
||||||
s->allocated_bitstream_size) {
|
s->allocated_bitstream_size) {
|
||||||
memmove(s->bitstream, &s->bitstream[s->bitstream_index],
|
memmove(s->bitstream, &s->bitstream[s->bitstream_index],
|
||||||
s->bitstream_size);
|
s->bitstream_size);
|
||||||
|
Loading…
Reference in New Issue
Block a user