avidec: use actually read size instead of requested size
authorAnton Khirnov <anton@khirnov.net>
Fri, 28 Sep 2012 13:42:29 +0000 (15:42 +0200)
committerReinhard Tartler <siretart@tauware.de>
Sun, 10 Feb 2013 17:01:15 +0000 (18:01 +0100)
Fixes CVE-2012-2788
(cherry picked from commit 0af49a63c7f87876486ab09482d5b26b95abce60)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
libavformat/avidec.c

index 78e5051..74edebf 100644 (file)
@@ -780,7 +780,7 @@ resync:
             else
                 ast->frame_offset++;
         }
-        ast->remaining -= size;
+        ast->remaining -= err;
         if(!ast->remaining){
             avi->stream_index= -1;
             ast->packet_size= 0;