Decoded data is always written in pairs within this decoder. This fixes writes out of bounds.
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: [email protected] --- libavcodec/xxan.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c index 2bc9ff6..05ce7ff 100644 --- a/libavcodec/xxan.c +++ b/libavcodec/xxan.c @@ -50,6 +50,10 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) av_log(avctx, AV_LOG_ERROR, "Invalid frame height: %d.\n", avctx->height); return AVERROR(EINVAL); } + if (avctx->width & 1) { + av_log(avctx, AV_LOG_ERROR, "Invalid frame width: %d.\n", avctx->width); + return AVERROR(EINVAL); + } s->buffer_size = avctx->width * avctx->height; s->y_buffer = av_malloc(s->buffer_size); -- 1.7.9.4 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
