lagarith: fix buffer overreads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
author: Ronald S. Bultje <rsbultje@gmail.com> 2012-03-27 12:26:46 -0700
committer: Ronald S. Bultje <rsbultje@gmail.com> 2012-03-28 07:06:47 -0700
commit: 0a82f5275f719e6e369a807720a2c3603aa0ddd9 (patch)
tree: 8a1cf45648efac926d991465905e073601cde5ca /libavcodec/lagarithrac.c
parent: c0b34e61483aa08524dd9c0383419d11d09b0181 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/libavcodec/lagarithrac.c b/libavcodec/lagarithrac.c
index 33dc6e4bd4..edfb18fb74 100644
--- a/libavcodec/lagarithrac.c
+++ b/libavcodec/lagarithrac.c
@@ -32,15 +32,16 @@
 
 void ff_lag_rac_init(lag_rac *l, GetBitContext *gb, int length)
 {
-    int i, j;
+    int i, j, left;
 
     /* According to reference decoder "1st byte is garbage",
      * however, it gets skipped by the call to align_get_bits()
      */
     align_get_bits(gb);
+    left                = get_bits_left(gb) >> 3;
     l->bytestream_start =
     l->bytestream       = gb->buffer + get_bits_count(gb) / 8;
-    l->bytestream_end   = l->bytestream_start + length;
+    l->bytestream_end   = l->bytestream_start + FFMIN(length, left);
 
     l->range        = 0x80;
     l->low          = *l->bytestream >> 1;
author	Ronald S. Bultje <rsbultje@gmail.com>	2012-03-27 12:26:46 -0700
committer	Ronald S. Bultje <rsbultje@gmail.com>	2012-03-28 07:06:47 -0700
commit	0a82f5275f719e6e369a807720a2c3603aa0ddd9 (patch)
tree	8a1cf45648efac926d991465905e073601cde5ca /libavcodec/lagarithrac.c
parent	c0b34e61483aa08524dd9c0383419d11d09b0181 (diff)