Commit d42ec843 authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/ansi: fix integer overflow

Fixes out of array read
Fixes: 5f9698e86d92f19bb08d54ff0d57027f-signal_sigsegv_b30756_3795_cov_2693691257_ansi256.ans
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 911eb711
...@@ -420,7 +420,7 @@ static int decode_frame(AVCodecContext *avctx, ...@@ -420,7 +420,7 @@ static int decode_frame(AVCodecContext *avctx,
switch(buf[0]) { switch(buf[0]) {
case '0': case '1': case '2': case '3': case '4': case '0': case '1': case '2': case '3': case '4':
case '5': case '6': case '7': case '8': case '9': case '5': case '6': case '7': case '8': case '9':
if (s->nb_args < MAX_NB_ARGS) if (s->nb_args < MAX_NB_ARGS && s->args[s->nb_args] < 6553)
s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0'; s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0';
break; break;
case ';': case ';':
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment