dpx: include offset in the total_size calculation
authorMichael Niedermayer <michaelni@gmx.at>
Sun, 10 Feb 2013 16:54:00 +0000 (17:54 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Sun, 10 Feb 2013 16:54:00 +0000 (17:54 +0100)
Fixes out of array reads

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/dpx.c

index 0237b44..310036b 100644 (file)
@@ -199,7 +199,7 @@ static int decode_frame(AVCodecContext *avctx,
     for (i=0; i<AV_NUM_DATA_POINTERS; i++)
         ptr[i] = p->data[i];
 
-    if (total_size > avpkt->size) {
+    if (total_size + (int64_t)offset > avpkt->size) {
         av_log(avctx, AV_LOG_ERROR, "Overread buffer. Invalid header?\n");
         return AVERROR_INVALIDDATA;
     }