On Wed, 2011-09-21 at 13:09 +0200, Diego Biurrun wrote:
> From: Maxim Poliakovski <max_p...@gmx.de>
> +static int decode_frame_header(ProresContext *ctx, const uint8_t *buf,
> + const int data_size, AVCodecContext *avctx)
> +{
...
> +
> + ctx->qmat_changed = 0;
> + ptr = buf + 20;
> + flags = buf[19];
> + if (flags & 2) {
> + if (memcmp(ctx->qmat_luma, ptr, 64)) {
> + memcpy(ctx->qmat_luma, ptr, 64);
> + ctx->qmat_changed = 1;
> + }
Won't this read past the end of the buffer if 28 <= data_size < 28+64 or
thereabouts?
> + ptr += 64;
> + } else {
> + memset(ctx->qmat_luma, 4, 64);
> + ctx->qmat_changed = 1;
> + }
> +
> + if (flags & 1) {
> + if (memcmp(ctx->qmat_chroma, ptr, 64)) {
> + memcpy(ctx->qmat_chroma, ptr, 64);
> + ctx->qmat_changed = 1;
> + }
Ditto here.
/Tomas
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
