shorten: pad the internal bitstream buffer
authorAnton Khirnov <anton@khirnov.net>
Thu, 28 Nov 2013 09:54:35 +0000 (10:54 +0100)
committerReinhard Tartler <siretart@tauware.de>
Sat, 1 Mar 2014 04:05:53 +0000 (23:05 -0500)
Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
(cherry picked from commit 1713eec29add37b654ec6bf262b843d139c1ffc6)

libavcodec/shorten.c

index 22976e0..31bd943 100644 (file)
@@ -441,7 +441,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
         void *tmp_ptr;
         s->max_framesize = 1024; // should hopefully be enough for the first header
         tmp_ptr = av_fast_realloc(s->bitstream, &s->allocated_bitstream_size,
-                                  s->max_framesize);
+                                  s->max_framesize + FF_INPUT_BUFFER_PADDING_SIZE);
         if (!tmp_ptr) {
             av_log(avctx, AV_LOG_ERROR, "error allocating bitstream buffer\n");
             return AVERROR(ENOMEM);