Fix a possibly exploitable buffer overflow.
authorReinhard Tartler <siretart@tauware.de>
Tue, 9 Feb 2010 18:55:41 +0000 (18:55 +0000)
committerReinhard Tartler <siretart@tauware.de>
Tue, 9 Feb 2010 18:55:41 +0000 (18:55 +0000)
backported r18640 by michael

Originally committed as revision 21712 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

libavcodec/ffv1.c

index 72c5fbd..ccfcb62 100644 (file)
@@ -248,10 +248,9 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, int is_signed){
     else{
         int i, e, a;
         e= 0;
-        while(get_rac(c, state+1 + e)){ //1..10
+        while(get_rac(c, state+1 + e) && e<9){ //1..10
             e++;
         }
-        assert(e<=9);
 
         a= 1;
         for(i=e-1; i>=0; i--){