diff options
author | Justin Ruggles <justin.ruggles@gmail.com> | 2011-10-23 13:00:33 -0400 |
---|---|---|
committer | Justin Ruggles <justin.ruggles@gmail.com> | 2011-10-25 11:30:50 -0400 |
commit | a3a8572165ce636fb011b78764a2584777f81b95 (patch) | |
tree | 418d42a1e48db07dfa6d0beac5ed00df80e17294 | |
parent | 4e41973794c5fc5c3a045b00051e0c089774cf9b (diff) | |
download | ffmpeg-a3a8572165ce636fb011b78764a2584777f81b95.tar.gz |
g722dec: check output buffer size before decoding
-rw-r--r-- | libavcodec/g722dec.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/libavcodec/g722dec.c b/libavcodec/g722dec.c index 9330fea3ce..2be47159a4 100644 --- a/libavcodec/g722dec.c +++ b/libavcodec/g722dec.c @@ -85,11 +85,17 @@ static int g722_decode_frame(AVCodecContext *avctx, void *data, { G722Context *c = avctx->priv_data; int16_t *out_buf = data; - int j, out_len = 0; + int j, out_len; const int skip = 8 - avctx->bits_per_coded_sample; const int16_t *quantizer_table = low_inv_quants[skip]; GetBitContext gb; + out_len = avpkt->size * 2 * av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_len) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + init_get_bits(&gb, avpkt->data, avpkt->size * 8); for (j = 0; j < avpkt->size; j++) { @@ -114,15 +120,15 @@ static int g722_decode_frame(AVCodecContext *avctx, void *data, c->prev_samples[c->prev_samples_pos++] = rlow - rhigh; ff_g722_apply_qmf(c->prev_samples + c->prev_samples_pos - 24, &xout1, &xout2); - out_buf[out_len++] = av_clip_int16(xout1 >> 12); - out_buf[out_len++] = av_clip_int16(xout2 >> 12); + *out_buf++ = av_clip_int16(xout1 >> 12); + *out_buf++ = av_clip_int16(xout2 >> 12); if (c->prev_samples_pos >= PREV_SAMPLES_BUF_SIZE) { memmove(c->prev_samples, c->prev_samples + c->prev_samples_pos - 22, 22 * sizeof(c->prev_samples[0])); c->prev_samples_pos = 22; } } - *data_size = out_len << 1; + *data_size = out_len; return avpkt->size; } |