From 8962da9ec367b535f975c876643ed2cad2bad32e Mon Sep 17 00:00:00 2001
From: Hendrik Leppkes <h.leppkes@gmail.com>
Date: Sun, 16 Jun 2013 09:46:17 +0200
Subject: [PATCH] rawdec: allocate a buffer in the appropriate size in the copy
 case.

Otherwise the created buffer can be smaller than buf_size, which results
in buffer overreads if the original image has extra padding on every line.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/rawdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/rawdec.c b/libavcodec/rawdec.c
index 46992427be..ab3e0c7f00 100644
--- a/libavcodec/rawdec.c
+++ b/libavcodec/rawdec.c
@@ -190,7 +190,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame,
         return res;
 
     if (need_copy)
-        frame->buf[0] = av_buffer_alloc(context->frame_size);
+        frame->buf[0] = av_buffer_alloc(FFMAX(context->frame_size, buf_size));
     else
         frame->buf[0] = av_buffer_ref(avpkt->buf);
     if (!frame->buf[0])
@@ -219,7 +219,7 @@ static int raw_decode(AVCodecContext *avctx, void *data, int *got_frame,
         }
         buf = dst;
     } else if (need_copy) {
-        memcpy(frame->buf[0]->data, buf, FFMIN(buf_size, context->frame_size));
+        memcpy(frame->buf[0]->data, buf, buf_size);
         buf = frame->buf[0]->data;
     }