diff mbox

[FFmpeg-devel] avcodec/dvdsubdec: Fix off by 1 error

Message ID 20161025223106.32578-1-michael@niedermayer.cc
State Accepted
Commit c92f55847a3d9cd12db60bfcd0831ff7f089c37c
Headers show

Commit Message

Michael Niedermayer Oct. 25, 2016, 10:31 p.m. UTC 
Fixes out of array read

Found-by: Thomas Garnier using libFuzzer
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dvdsubdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Michael Niedermayer Oct. 26, 2016, 5:51 p.m. UTC | #1 
On Wed, Oct 26, 2016 at 12:31:06AM +0200, Michael Niedermayer wrote:
> Fixes out of array read
> 
> Found-by: Thomas Garnier using libFuzzer
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/dvdsubdec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

applied

[...]
diff mbox

Patch

diff --git a/libavcodec/dvdsubdec.c b/libavcodec/dvdsubdec.c
index b81b481..18475ec 100644
--- a/libavcodec/dvdsubdec.c
+++ b/libavcodec/dvdsubdec.c
@@ -185,7 +185,7 @@  static void guess_palette(DVDSubContext* ctx,
     for(i = 0; i < 4; i++) {
         if (alpha[i] != 0) {
             if (!color_used[colormap[i]])  {
-                level = level_map[nb_opaque_colors][j];
+                level = level_map[nb_opaque_colors - 1][j];
                 r = (((subtitle_color >> 16) & 0xff) * level) >> 8;
                 g = (((subtitle_color >> 8) & 0xff) * level) >> 8;
                 b = (((subtitle_color >> 0) & 0xff) * level) >> 8;