diff options
| author | Justin Ruggles <justin.ruggles@gmail.com> | 2011-09-27 17:24:27 -0400 |
|---|---|---|
| committer | Justin Ruggles <justin.ruggles@gmail.com> | 2011-10-26 16:00:37 -0400 |
| commit | 4a6a29a7fbf023b19797c38a86099d9f81d25524 (patch) | |
| tree | 64f74b74a421d71cb5744d903487eebdebab11e8 | |
| parent | 345d15d2f9430ea9667b15b9faca09e12ba41d28 (diff) | |
| download | ffmpeg-4a6a29a7fbf023b19797c38a86099d9f81d25524.tar.gz | |
libopencore-amr: check output buffer size before decoding
| -rw-r--r-- | libavcodec/libopencore-amr.c | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/libavcodec/libopencore-amr.c b/libavcodec/libopencore-amr.c index 6c54a1d118..a705975aa9 100644 --- a/libavcodec/libopencore-amr.c +++ b/libavcodec/libopencore-amr.c @@ -131,11 +131,17 @@ static int amr_nb_decode_frame(AVCodecContext *avctx, void *data, AMRContext *s = avctx->priv_data; static const uint8_t block_size[16] = { 12, 13, 15, 17, 19, 20, 26, 31, 5, 0, 0, 0, 0, 0, 0, 0 }; enum Mode dec_mode; - int packet_size; + int packet_size, out_size; av_dlog(avctx, "amr_decode_frame buf=%p buf_size=%d frame_count=%d!!\n", buf, buf_size, avctx->frame_number); + out_size = 160 * av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n"); + return AVERROR(EINVAL); + } + dec_mode = (buf[0] >> 3) & 0x000F; packet_size = block_size[dec_mode] + 1; @@ -149,7 +155,7 @@ static int amr_nb_decode_frame(AVCodecContext *avctx, void *data, packet_size, buf[0], buf[1], buf[2], buf[3]); /* call decoder */ Decoder_Interface_Decode(s->dec_state, buf, data, 0); - *data_size = 160 * 2; + *data_size = out_size; return packet_size; } @@ -271,9 +277,15 @@ static int amr_wb_decode_frame(AVCodecContext *avctx, void *data, int buf_size = avpkt->size; AMRWBContext *s = avctx->priv_data; int mode; - int packet_size; + int packet_size, out_size; static const uint8_t block_size[16] = {18, 24, 33, 37, 41, 47, 51, 59, 61, 6, 6, 0, 0, 0, 1, 1}; + out_size = 320 * av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n"); + return AVERROR(EINVAL); + } + mode = (buf[0] >> 3) & 0x000F; packet_size = block_size[mode]; @@ -284,7 +296,7 @@ static int amr_wb_decode_frame(AVCodecContext *avctx, void *data, } D_IF_decode(s->state, buf, data, _good_frame); - *data_size = 320 * 2; + *data_size = out_size; return packet_size; } |