Browse code
fraps: fix version 0/1 input data size check.
Fixes array overread.
Fixes Ticket1371
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2012/06/02 06:21:03Showing 1 changed files
| ... | ... |
@@ -161,17 +161,17 @@ static int decode_frame(AVCodecContext *avctx, |
| 161 | 161 |
unsigned needed_size = avctx->width*avctx->height*3; |
| 162 | 162 |
if (version == 0) needed_size /= 2; |
| 163 | 163 |
needed_size += header_size; |
| 164 |
- if (buf_size != needed_size && buf_size != header_size) {
|
|
| 165 |
- av_log(avctx, AV_LOG_ERROR, |
|
| 166 |
- "Invalid frame length %d (should be %d)\n", |
|
| 167 |
- buf_size, needed_size); |
|
| 168 |
- return -1; |
|
| 169 |
- } |
|
| 170 | 164 |
/* bit 31 means same as previous pic */ |
| 171 | 165 |
if (header & (1U<<31)) {
|
| 172 | 166 |
*data_size = 0; |
| 173 | 167 |
return buf_size; |
| 174 | 168 |
} |
| 169 |
+ if (buf_size != needed_size) {
|
|
| 170 |
+ av_log(avctx, AV_LOG_ERROR, |
|
| 171 |
+ "Invalid frame length %d (should be %d)\n", |
|
| 172 |
+ buf_size, needed_size); |
|
| 173 |
+ return -1; |
|
| 174 |
+ } |
|
| 175 | 175 |
} else {
|
| 176 | 176 |
/* skip frame */ |
| 177 | 177 |
if (buf_size == 8) {
|