rawdec: allocate a buffer in the appropriate size in the copy case.
authorHendrik Leppkes <h.leppkes@gmail.com>
Sun, 16 Jun 2013 07:46:17 +0000 (09:46 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Sun, 16 Jun 2013 07:50:16 +0000 (09:50 +0200)
Otherwise the created buffer can be smaller than buf_size, which results
in buffer overreads if the original image has extra padding on every line.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/rawdec.c

index 4699242..ab3e0c7 100644 (file)
@@ -190,7 +190,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame,
         return res;
 
     if (need_copy)
-        frame->buf[0] = av_buffer_alloc(context->frame_size);
+        frame->buf[0] = av_buffer_alloc(FFMAX(context->frame_size, buf_size));
     else
         frame->buf[0] = av_buffer_ref(avpkt->buf);
     if (!frame->buf[0])
@@ -219,7 +219,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame,
         }
         buf = dst;
     } else if (need_copy) {
-        memcpy(frame->buf[0]->data, buf, FFMIN(buf_size, context->frame_size));
+        memcpy(frame->buf[0]->data, buf, buf_size);
         buf = frame->buf[0]->data;
     }