smacker: fix an off by one in huff.length computation
authorKostya Shishkov <kostya.shishkov@gmail.com>
Wed, 12 Jun 2013 12:22:24 +0000 (14:22 +0200)
committerReinhard Tartler <siretart@tauware.de>
Sun, 30 Jun 2013 14:06:26 +0000 (16:06 +0200)
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit ee205588b250fe5cae0681be8eba51a5403c3272)

Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
libavcodec/smacker.c

index 3928d8f..f74f0db 100644 (file)
@@ -252,7 +252,7 @@ static int smacker_decode_header_tree(SmackVContext *smk, GetBitContext *gb, int
     ctx.recode2 = tmp2.values;
     ctx.last = last;
 
-    huff.length = ((size + 3) >> 2) + 3;
+    huff.length = ((size + 3) >> 2) + 4;
     huff.maxlength = 0;
     huff.current = 0;
     huff.values = av_mallocz(huff.length * sizeof(int));