Arrays where one element too small, fixes CID114.
authorMichael Niedermayer <michaelni@gmx.at>
Tue, 27 May 2008 22:10:17 +0000 (22:10 +0000)
committerMichael Niedermayer <michaelni@gmx.at>
Tue, 27 May 2008 22:10:17 +0000 (22:10 +0000)
this was possibly exploitable

Originally committed as revision 13475 to svn://svn.ffmpeg.org/ffmpeg/trunk

libavcodec/cavsdec.c

index a7ce883..b212eb9 100644 (file)
@@ -116,8 +116,8 @@ static int decode_residual_block(AVSContext *h, GetBitContext *gb,
                                  const dec_2dvlc_t *r, int esc_golomb_order,
                                  int qp, uint8_t *dst, int stride) {
     int i, level_code, esc_code, level, run, mask;
-    DCTELEM level_buf[64];
-    uint8_t run_buf[64];
+    DCTELEM level_buf[65];
+    uint8_t run_buf[65];
     DCTELEM *block = h->block;
 
     for(i=0;i<65;i++) {