sp5xdec: fix off by 1 error causing a crash
authorMichael Niedermayer <michaelni@gmx.at>
Thu, 16 Aug 2012 01:15:14 +0000 (03:15 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Fri, 14 Sep 2012 22:16:27 +0000 (00:16 +0200)
Fixes Ticket1633

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f0896a6bd94e5b45447c7d640c8e8aa95d860d7a)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/sp5xdec.c

index 4aca0cc..9a3b3f2 100644 (file)
@@ -72,7 +72,7 @@ static int sp5x_decode_frame(AVCodecContext *avctx,
         for (i = 2; i < buf_size-2 && j < buf_size+1024-2; i++)
             recoded[j++] = buf[i];
     else
-    for (i = 14; i < buf_size && j < buf_size+1024-2; i++)
+    for (i = 14; i < buf_size && j < buf_size+1024-3; i++)
     {
         recoded[j++] = buf[i];
         if (buf[i] == 0xff)