diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2012-01-26 02:23:35 +0400 |
---|---|---|
committer | Reinhard Tartler <siretart@tauware.de> | 2012-04-01 20:33:29 +0400 |
commit | a0b65938b7cf37680a4ce0667444a217a151c551 (patch) | |
tree | ff1432bd0ec206824490f1ea6270e672afffe761 /libavcodec | |
parent | cb8a17ddaccdbbe47748ba7ac4ce7303e47732fe (diff) |
kgv1dec: Increase offsets array size so it is large enough.
Fixes CVE-2011-3945
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 807a045ab7f51993a2c1b3116016cbbd4f3d20d6)
Signed-off-by: Alex Converse <alex.converse@gmail.com>
(cherry picked from commit a02e8df973f5478ec82f4c507f5b5b191a5ecb6b)
(cherry picked from commit d5f2382d0389ed47a566ea536887af908bf9b14f)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/kgv1dec.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/kgv1dec.c b/libavcodec/kgv1dec.c index c4c3dac016..42bbcae530 100644 --- a/libavcodec/kgv1dec.c +++ b/libavcodec/kgv1dec.c @@ -46,7 +46,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac const uint8_t *buf = avpkt->data; const uint8_t *buf_end = buf + avpkt->size; KgvContext * const c = avctx->priv_data; - int offsets[7]; + int offsets[8]; uint16_t *out, *prev; int outcnt = 0, maxcnt; int w, h, i, res; @@ -79,7 +79,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac prev = NULL; } - for (i = 0; i < 7; i++) + for (i = 0; i < 8; i++) offsets[i] = -1; while (outcnt < maxcnt && buf_end - 2 > buf) { |