Commit f9eb6229 authored by Reimar Döffinger's avatar Reimar Döffinger

Fix offset validity checks.

Offsets are relative to the end of the header, not the
start of the buffer, thus the buffer size needs to be subtracted.
Signed-off-by: 's avatarReimar Döffinger <Reimar.Doeffinger@gmx.de>
parent cd3ced1b
...@@ -186,12 +186,12 @@ static int decode_frame(AVCodecContext *avctx, ...@@ -186,12 +186,12 @@ static int decode_frame(AVCodecContext *avctx,
} }
for(i = 0; i < planes; i++) { for(i = 0; i < planes; i++) {
offs[i] = AV_RL32(buf + 4 + i * 4); offs[i] = AV_RL32(buf + 4 + i * 4);
if(offs[i] >= buf_size || (i && offs[i] <= offs[i - 1] + 1024)) { if(offs[i] >= buf_size - header_size || (i && offs[i] <= offs[i - 1] + 1024)) {
av_log(avctx, AV_LOG_ERROR, "Fraps: plane %i offset is out of bounds\n", i); av_log(avctx, AV_LOG_ERROR, "Fraps: plane %i offset is out of bounds\n", i);
return -1; return -1;
} }
} }
offs[planes] = buf_size; offs[planes] = buf_size - header_size;
for(i = 0; i < planes; i++) { for(i = 0; i < planes; i++) {
av_fast_padded_malloc(&s->tmpbuf, &s->tmpbuf_size, offs[i + 1] - offs[i] - 1024); av_fast_padded_malloc(&s->tmpbuf, &s->tmpbuf_size, offs[i + 1] - offs[i] - 1024);
if (!s->tmpbuf) if (!s->tmpbuf)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment