interplayacm: increase bitstream buffer size by AV_INPUT_BUFFER_PADDING_SIZE
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Sun, 30 Oct 2016 20:18:20 +0000 (21:18 +0100)
committerAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Thu, 17 Nov 2016 22:12:09 +0000 (23:12 +0100)
This fixes out-of-bounds reads by the bitstream reader.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 60178e78f2fe9a7bfb9da0abc985835e2ebfd2f1)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
libavcodec/interplayacm.c

index 0320531..c897e72 100644 (file)
@@ -77,7 +77,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
     s->block   = av_calloc(s->block_len, sizeof(int));
     s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int));
     s->ampbuf  = av_calloc(0x10000, sizeof(int));
-    s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream));
+    s->bitstream = av_calloc(s->max_framesize + AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1, sizeof(*s->bitstream));
     if (!s->block || !s->wrapbuf || !s->ampbuf || !s->bitstream)
         return AVERROR(ENOMEM);