wmalosslessdec: fix mclms_coeffs* array size

Fixes corruption of context Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org Bug-Id: CVE-2014-2098 Signed-off-by: Anton Khirnov <anton@khirnov.net>

wmalosslessdec: fix mclms_coeffs* array size
Fixes corruption of context Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org Bug-Id: CVE-2014-2098 Signed-off-by: Anton Khirnov <anton@khirnov.net>
849b9d34 · Michael Niedermayer · Anton Khirnov · 15201e25 · 849b9d34
Commit 849b9d34 authored Feb 07, 2014 by Michael Niedermayer Committed by Anton Khirnov Aug 05, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

wmalosslessdec.c libavcodec/wmalosslessdec.c +2 -2

No files found.
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -129,8 +129,8 @@ typedef struct WmallDecodeCtx {

    int8_t  mclms_order;
    int8_t  mclms_scaling;
-    int16_t mclms_coeffs[128];
-    int16_t mclms_coeffs_cur[4];
+    int16_t mclms_coeffs[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS * 32];
+    int16_t mclms_coeffs_cur[WMALL_MAX_CHANNELS * WMALL_MAX_CHANNELS];
    int16_t mclms_prevvalues[WMALL_MAX_CHANNELS * 2 * 32];
    int16_t mclms_updates[WMALL_MAX_CHANNELS * 2 * 32];
    int     mclms_recent;