avcodec/dvdsubdec: Fix off by 1 error
authorMichael Niedermayer <michael@niedermayer.cc>
Tue, 25 Oct 2016 22:11:52 +0000 (00:11 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Mon, 5 Dec 2016 17:29:12 +0000 (18:29 +0100)
Fixes out of array read

Found-by: Thomas Garnier using libFuzzer
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c92f55847a3d9cd12db60bfcd0831ff7f089c37c)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/dvdsubdec.c

index 783a24f..4ae63b4 100644 (file)
@@ -185,7 +185,7 @@ static void guess_palette(DVDSubContext* ctx,
     for(i = 0; i < 4; i++) {
         if (alpha[i] != 0) {
             if (!color_used[colormap[i]])  {
-                level = level_map[nb_opaque_colors][j];
+                level = level_map[nb_opaque_colors - 1][j];
                 r = (((subtitle_color >> 16) & 0xff) * level) >> 8;
                 g = (((subtitle_color >> 8) & 0xff) * level) >> 8;
                 b = (((subtitle_color >> 0) & 0xff) * level) >> 8;