Fixes array overread.
Fixes Ticket1371
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
... | ... |
@@ -161,17 +161,17 @@ static int decode_frame(AVCodecContext *avctx, |
161 | 161 |
unsigned needed_size = avctx->width*avctx->height*3; |
162 | 162 |
if (version == 0) needed_size /= 2; |
163 | 163 |
needed_size += header_size; |
164 |
- if (buf_size != needed_size && buf_size != header_size) { |
|
165 |
- av_log(avctx, AV_LOG_ERROR, |
|
166 |
- "Invalid frame length %d (should be %d)\n", |
|
167 |
- buf_size, needed_size); |
|
168 |
- return -1; |
|
169 |
- } |
|
170 | 164 |
/* bit 31 means same as previous pic */ |
171 | 165 |
if (header & (1U<<31)) { |
172 | 166 |
*data_size = 0; |
173 | 167 |
return buf_size; |
174 | 168 |
} |
169 |
+ if (buf_size != needed_size) { |
|
170 |
+ av_log(avctx, AV_LOG_ERROR, |
|
171 |
+ "Invalid frame length %d (should be %d)\n", |
|
172 |
+ buf_size, needed_size); |
|
173 |
+ return -1; |
|
174 |
+ } |
|
175 | 175 |
} else { |
176 | 176 |
/* skip frame */ |
177 | 177 |
if (buf_size == 8) { |