avcodec/dfa: Fix off by 1 error
authorMichael Niedermayer <michael@niedermayer.cc>
Fri, 5 May 2017 18:42:11 +0000 (20:42 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Fri, 5 May 2017 18:42:55 +0000 (20:42 +0200)
Fixes out of array access
Fixes: 1345/clusterfuzz-testcase-minimized-6062963045695488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/dfa.c

index f45d019..5ddb647 100644 (file)
@@ -175,7 +175,7 @@ static int decode_dds1(GetByteContext *gb, uint8_t *frame, int width, int height
                 return AVERROR_INVALIDDATA;
             frame += v;
         } else {
-            if (frame_end - frame < width + 3)
+            if (frame_end - frame < width + 4)
                 return AVERROR_INVALIDDATA;
             frame[0] = frame[1] =
             frame[width] = frame[width + 1] =  bytestream2_get_byte(gb);