diff options
author | Justin Ruggles <justin.ruggles@gmail.com> | 2011-09-23 19:50:41 -0400 |
---|---|---|
committer | Justin Ruggles <justin.ruggles@gmail.com> | 2011-10-22 15:38:05 -0400 |
commit | e53eecd0e7211973a1a9757f559bdd93a1848901 (patch) | |
tree | b55b547e377b573d078bcf1d1469c464fd066319 | |
parent | 5ed68178225c82f6525f962b895bce682e9ad05c (diff) | |
download | ffmpeg-e53eecd0e7211973a1a9757f559bdd93a1848901.tar.gz |
twinvq: check output buffer size before decoding
-rw-r--r-- | libavcodec/twinvq.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index 1c800ee184..c7ce11d937 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -822,7 +822,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, const ModeTab *mtab = tctx->mtab; float *out = data; enum FrameType ftype; - int window_type; + int window_type, out_size; static const enum FrameType wtype_to_ftype_table[] = { FT_LONG, FT_LONG, FT_SHORT, FT_LONG, FT_MEDIUM, FT_LONG, FT_LONG, FT_MEDIUM, FT_MEDIUM @@ -834,6 +834,13 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, return AVERROR(EINVAL); } + out_size = mtab->size * avctx->channels * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n"); + return AVERROR(EINVAL); + } + init_get_bits(&gb, buf, buf_size * 8); skip_bits(&gb, get_bits(&gb, 8)); window_type = get_bits(&gb, WINDOW_TYPE_BITS); @@ -856,7 +863,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, return buf_size; } - *data_size = mtab->size*avctx->channels*4; + *data_size = out_size; return buf_size; } |