On Sun, Sep 29, 2013 at 01:21:19AM +0300, Martin Storsjö wrote: > Decoded data is always written in pairs within this decoder. > This fixes writes out of bounds. > > Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind > CC: [email protected] > --- > libavcodec/xxan.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/libavcodec/xxan.c b/libavcodec/xxan.c > index 2bc9ff6..05ce7ff 100644 > --- a/libavcodec/xxan.c > +++ b/libavcodec/xxan.c > @@ -50,6 +50,10 @@ static av_cold int xan_decode_init(AVCodecContext *avctx) > av_log(avctx, AV_LOG_ERROR, "Invalid frame height: %d.\n", > avctx->height); > return AVERROR(EINVAL); > } > + if (avctx->width & 1) { > + av_log(avctx, AV_LOG_ERROR, "Invalid frame width: %d.\n", > avctx->width); > + return AVERROR(EINVAL); > + } > > s->buffer_size = avctx->width * avctx->height; > s->y_buffer = av_malloc(s->buffer_size); > --
LGTM _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
