rawdec: allocate a buffer in the appropriate size in the copy case.

Otherwise the created buffer can be smaller than buf_size, which results in buffer overreads if the original image has extra padding on every line. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

rawdec: allocate a buffer in the appropriate size in the copy case.
Otherwise the created buffer can be smaller than buf_size, which results in buffer overreads if the original image has extra padding on every line. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
8962da9e · Hendrik Leppkes · Michael Niedermayer · 359af6a7 · 8962da9e
Commit 8962da9e authored Jun 16, 2013 by Hendrik Leppkes Committed by Michael Niedermayer Jun 16, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

rawdec.c libavcodec/rawdec.c +2 -2

No files found.
--- a/libavcodec/rawdec.c
+++ b/libavcodec/rawdec.c
@@ -190,7 +190,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame,
        return res;
    if (need_copy)
-        frame->buf[0] = av_buffer_alloc(context->frame_size);
+        frame->buf[0] = av_buffer_alloc(FFMAX(context->frame_size, buf_size));
    else
        frame->buf[0] = av_buffer_ref(avpkt->buf);
    if (!frame->buf[0])
@@ -219,7 +219,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame,
        }
        buf = dst;
    } else if (need_copy) {
-        memcpy(frame->buf[0]->data, buf, FFMIN(buf_size, context->frame_size));
+        memcpy(frame->buf[0]->data, buf, buf_size);
        buf = frame->buf[0]->data;
    }