avcodec/g2meet: Fix framebuf size

Currently the code can in some cases draw tiles that hang outside the allocated buffer. This patch increases the buffer size to avoid out of array accesses. An alternative would be to fail if such tiles are encountered. I do not know if any valid files use such hanging tiles. Fixes Ticket2971 Found-by: ami_stuff Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

avcodec/g2meet: Fix framebuf size
Currently the code can in some cases draw tiles that hang outside the allocated buffer. This patch increases the buffer size to avoid out of array accesses. An alternative would be to fail if such tiles are encountered. I do not know if any valid files use such hanging tiles. Fixes Ticket2971 Found-by: ami_stuff Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
e07ac727 · Michael Niedermayer · 5dca837a · e07ac727
Commit e07ac727 authored Sep 21, 2013 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

g2meet.c libavcodec/g2meet.c +2 -2

No files found.
--- a/libavcodec/g2meet.c
+++ b/libavcodec/g2meet.c
@@ -443,8 +443,8 @@ static int g2m_init_buffers(G2MContext *c)
    int aligned_height;
    if (!c->framebuf || c->old_width < c->width || c->old_height < c->height) {
-        c->framebuf_stride = FFALIGN(c->width * 3, 16);
+        c->framebuf_stride = FFALIGN(c->width + 15, 16) * 3;
-        aligned_height     = FFALIGN(c->height,    16);
+        aligned_height     = c->height + 15;
        av_free(c->framebuf);
        c->framebuf = av_mallocz(c->framebuf_stride * aligned_height);
        if (!c->framebuf)