shorten: fix "off by padding" bug

Fixes array overread Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-05-22 17:39:22 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2013-05-22 17:40:12 +0200
commit: ad22767cb61cdc75541b21154d65fd1ad6351025 (patch)
tree: b90d01c8bb7f73b1b256632d672368d3d23727c6
parent: 14ec9d2590162f1a922860f1e8c1d635f5ccb65e (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 23c5d7cf9b..3bba10c398 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -437,7 +437,7 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
         buf_size       = FFMIN(buf_size, s->max_framesize - s->bitstream_size);
         input_buf_size = buf_size;
 
-        if (s->bitstream_index + s->bitstream_size + buf_size >
+        if (s->bitstream_index + s->bitstream_size + buf_size + FF_INPUT_BUFFER_PADDING_SIZE >
             s->allocated_bitstream_size) {
             memmove(s->bitstream, &s->bitstream[s->bitstream_index],
                     s->bitstream_size);
author	Michael Niedermayer <michaelni@gmx.at>	2013-05-22 17:39:22 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2013-05-22 17:40:12 +0200
commit	ad22767cb61cdc75541b21154d65fd1ad6351025 (patch)
tree	b90d01c8bb7f73b1b256632d672368d3d23727c6
parent	14ec9d2590162f1a922860f1e8c1d635f5ccb65e (diff)