shorten: pad the internal bitstream buffer
authorAnton Khirnov <anton@khirnov.net>
Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)
committerAnton Khirnov <anton@khirnov.net>
Tue, 4 Feb 2014 20:59:57 +0000 (21:59 +0100)
Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

libavcodec/shorten.c

index 992e01b..c465fff 100644 (file)
@@ -431,7 +431,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
         void *tmp_ptr;
         s->max_framesize = 1024; // should hopefully be enough for the first header
         tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size,
-                                  s->max_framesize);
+                                  s->max_framesize + FF_INPUT_BUFFER_PADDING_SIZE);
         if (!tmp_ptr) {
             av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n");
             return AVERROR(ENOMEM);