aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJustin Ruggles <justin.ruggles@gmail.com>2011-09-23 19:50:41 -0400
committerJustin Ruggles <justin.ruggles@gmail.com>2011-10-22 15:38:05 -0400
commite53eecd0e7211973a1a9757f559bdd93a1848901 (patch)
treeb55b547e377b573d078bcf1d1469c464fd066319
parent5ed68178225c82f6525f962b895bce682e9ad05c (diff)
downloadffmpeg-e53eecd0e7211973a1a9757f559bdd93a1848901.tar.gz
twinvq: check output buffer size before decoding
-rw-r--r--libavcodec/twinvq.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c
index 1c800ee184..c7ce11d937 100644
--- a/libavcodec/twinvq.c
+++ b/libavcodec/twinvq.c
@@ -822,7 +822,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data,
const ModeTab *mtab = tctx->mtab;
float *out = data;
enum FrameType ftype;
- int window_type;
+ int window_type, out_size;
static const enum FrameType wtype_to_ftype_table[] = {
FT_LONG, FT_LONG, FT_SHORT, FT_LONG,
FT_MEDIUM, FT_LONG, FT_LONG, FT_MEDIUM, FT_MEDIUM
@@ -834,6 +834,13 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data,
return AVERROR(EINVAL);
}
+ out_size = mtab->size * avctx->channels *
+ av_get_bytes_per_sample(avctx->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
init_get_bits(&gb, buf, buf_size * 8);
skip_bits(&gb, get_bits(&gb, 8));
window_type = get_bits(&gb, WINDOW_TYPE_BITS);
@@ -856,7 +863,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data,
return buf_size;
}
- *data_size = mtab->size*avctx->channels*4;
+ *data_size = out_size;
return buf_size;
}