atrac1: check output buffer size before decoding

(cherry picked from commit 33684b9c12b74c0140fb91e8150263db4a48d55e)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 9 insertions, 2 deletions

diff --git a/libavcodec/atrac1.c b/libavcodec/atrac1.c
index 1f4c36c141..9d37e4c866 100644
--- a/libavcodec/atrac1.c
+++ b/libavcodec/atrac1.c
@@ -276,7 +276,7 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data,
     const uint8_t *buf = avpkt->data;
     int buf_size       = avpkt->size;
     AT1Ctx *q          = avctx->priv_data;
-    int ch, ret, i;
+    int ch, ret, i, out_size;
     GetBitContext gb;
     float* samples = data;
 
@@ -286,6 +286,13 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data,
         return -1;
     }
 
+    out_size = q->channels * AT1_SU_SAMPLES *
+               av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
     for (ch = 0; ch < q->channels; ch++) {
         AT1SUCtx* su = &q->SUs[ch];
 
@@ -318,7 +325,7 @@ static int atrac1_decode_frame(AVCodecContext *avctx, void *data,
         }
     }
 
-    *data_size = q->channels * AT1_SU_SAMPLES * sizeof(*samples);
+    *data_size = out_size;
     return avctx->block_align;
 }