[FFmpeg-cvslog] avcodec/ansi: fix integer overflow

Michael Niedermayer git at videolan.org
Sun Feb 23 17:46:54 CET 2014


ffmpeg | branch: release/2.1 | Michael Niedermayer <michaelni at gmx.at> | Mon Feb 17 20:49:42 2014 +0100| [18eac12c6d470588afd8abc15396ba77dfdcb4ee] | committer: Michael Niedermayer

avcodec/ansi: fix integer overflow

Fixes out of array read
Fixes: 5f9698e86d92f19bb08d54ff0d57027f-signal_sigsegv_b30756_3795_cov_2693691257_ansi256.ans
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit d42ec8433c687fcbccefa51a7716d81920218e4f)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=18eac12c6d470588afd8abc15396ba77dfdcb4ee
---

 libavcodec/ansi.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/ansi.c b/libavcodec/ansi.c
index 8dce61a..8e2b61d 100644
--- a/libavcodec/ansi.c
+++ b/libavcodec/ansi.c
@@ -417,7 +417,7 @@ static int decode_frame(AVCodecContext *avctx,
             switch(buf[0]) {
             case '0': case '1': case '2': case '3': case '4':
             case '5': case '6': case '7': case '8': case '9':
-                if (s->nb_args < MAX_NB_ARGS)
+                if (s->nb_args < MAX_NB_ARGS && s->args[s->nb_args] < 6553)
                     s->args[s->nb_args] = FFMAX(s->args[s->nb_args], 0) * 10 + buf[0] - '0';
                 break;
             case ';':



More information about the ffmpeg-cvslog mailing list