From: Kostya Shishkov <kostya.shishkov@gmail.com>
Date: Mon, 11 Jan 2010 14:21:53 +0000 (+0000)
Subject: Fix two RLE buffer size calculations in TSCC decoder.
X-Git-Tag: v0.6~2019
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=eebece4641f224c8e1b7f9b764364237daf7b088;p=platform%2Fupstream%2Flibav.git

Fix two RLE buffer size calculations in TSCC decoder.
Spotted by Zhongtuan Ma.

Originally committed as revision 21138 to svn://svn.ffmpeg.org/ffmpeg/trunk
---

diff --git a/libavcodec/tscc.c b/libavcodec/tscc.c
index b00b5c5..bf82c63 100644
--- a/libavcodec/tscc.c
+++ b/libavcodec/tscc.c
@@ -107,7 +107,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *data_size, AVPac
 
 
     if(zret != Z_DATA_ERROR)
-        ff_msrle_decode(avctx, (AVPicture*)&c->pic, c->bpp, c->decomp_buf, c->zstream.avail_out);
+        ff_msrle_decode(avctx, (AVPicture*)&c->pic, c->bpp, c->decomp_buf, c->decomp_size - c->zstream.avail_out);
 
     /* make the palette available on the way out */
     if (c->avctx->pix_fmt == PIX_FMT_PAL8) {
@@ -154,7 +154,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
              return -1;
     }
     c->bpp = avctx->bits_per_coded_sample;
-    c->decomp_size = (avctx->width * c->bpp + (avctx->width + 254) / 255 + 2) * avctx->height + 2;//RLE in the 'best' case
+    // buffer size for RLE 'best' case when 2-byte code preceeds each pixel and there may be padding after it too
+    c->decomp_size = (((avctx->width * c->bpp + 7) >> 3) + 3 * avctx->width + 2) * avctx->height + 2;
 
     /* Allocate decompression buffer */
     if (c->decomp_size) {