dsicinav: update bitmap_frame_size, avoid out of array reads.
authorMichael Niedermayer <michaelni@gmx.at>
Sun, 11 Nov 2012 18:46:16 +0000 (19:46 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Sun, 11 Nov 2012 18:47:01 +0000 (19:47 +0100)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/dsicinav.c

index fec267f..6a0d754 100644 (file)
@@ -270,7 +270,7 @@ static int cinvideo_decode_frame(AVCodecContext *avctx,
           cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);
         break;
     case 35:
-        cin_decode_huffman(buf, bitmap_frame_size,
+        bitmap_frame_size = cin_decode_huffman(buf, bitmap_frame_size,
           cin->bitmap_table[CIN_INT_BMP], cin->bitmap_size);
         cin_decode_rle(cin->bitmap_table[CIN_INT_BMP], bitmap_frame_size,
           cin->bitmap_table[CIN_CUR_BMP], cin->bitmap_size);