apedec: prevent out of array writes in decode_array_0000
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Tue, 28 Apr 2015 09:13:43 +0000 (11:13 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Tue, 19 May 2015 19:08:36 +0000 (21:08 +0200)
commit4e4708ad8093151b2b79276b7c2950a4462108b4
treecb0482f85a6666b6682ca7f399a5b55e87ef671b
parent8624b49276558d451cf3c494d30975f31e926afb
apedec: prevent out of array writes in decode_array_0000

s->decoded_buffer is allocated with a min_size of:
    2 * FFALIGN(blockstodecode, 8) * sizeof(*s->decoded_buffer)

Then it is assigned to s->decoded[0] (and s->decoded_buffer + FFALIGN(blockstodecode, 8)
to s->decoded[1]) and passed as out buffer to decode_array_0000.

In this function 64 elements of the out buffer are written
unconditionally and outside the array if blockstodecode is too small.

This causes memory corruption, leading to segmentation faults or other
crashes.

Thus change decode_array_0000 to write at most blockstodecode elements
of the out buffer.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 699341d647f7af785fb8ceed67604467b0b9ab12)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/apedec.c