On Sat, Feb 03, 2018 at 10:16:07AM +0100, Paul B Mahol wrote: > On 2/2/18, Michael Niedermayer <mich...@niedermayer.cc> wrote: > > Fixes: out of array read > > Fixes: poc-2017.avi > > > > Found-by: GwanYeong Kim <gy741....@gmail.com> > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > --- > > libavcodec/utvideodec.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavcodec/utvideodec.c b/libavcodec/utvideodec.c > > index 608c8c4998..1bcd14e74c 100644 > > --- a/libavcodec/utvideodec.c > > +++ b/libavcodec/utvideodec.c > > @@ -676,7 +676,7 @@ static int decode_frame(AVCodecContext *avctx, void > > *data, int *got_frame, > > for (j = 0; j < c->slices; j++) { > > slice_end = bytestream2_get_le32u(&gb); > > if (slice_end < 0 || slice_end < slice_start || > > - bytestream2_get_bytes_left(&gb) < slice_end) { > > + bytestream2_get_bytes_left(&gb) < slice_end + 1024LL) { > > av_log(avctx, AV_LOG_ERROR, "Incorrect slice size\n"); > > return AVERROR_INVALIDDATA; > > } > > -- > > 2.16.1 > > > > _______________________________________________ > > ffmpeg-devel mailing list > > ffmpeg-devel@ffmpeg.org > > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > > > Why this magic number 1024LL ?
Because of the line later: bytestream2_skipu(&gb, 1024); [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB If a bugfix only changes things apparently unrelated to the bug with no further explanation, that is a good sign that the bugfix is wrong.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel