Guard against output buffer overflows

Originally committed as revision 10548 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Kostya Shishkov <kostya.shishkov@gmail.com> 2007-09-22 09:21:43 +0000
committer: Kostya Shishkov <kostya.shishkov@gmail.com> 2007-09-22 09:21:43 +0000
commit: a2085a7e9d83d99aca58bfb385f6db1afa5673dd (patch)
tree: 320fcfb562dc17362a35293902440bf282f81684
parent: 675a0583b42f7eeac145dd0adf6d66d87c2af892 (diff)
download: ffmpeg-a2085a7e9d83d99aca58bfb385f6db1afa5673dd.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c
index 0ce05c821a..c4a127d7c7 100644
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -173,6 +173,10 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
     if (!buf_size)
         return 0;
 
+    // almost every DPCM variant expands one byte of data into two
+    if(*data_size/2 < buf_size)
+        return -1;
+
     switch(avctx->codec->id) {
 
     case CODEC_ID_ROQ_DPCM:
@@ -256,6 +260,8 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
     case CODEC_ID_SOL_DPCM:
         in = 0;
         if (avctx->codec_tag != 3) {
+            if(*data_size/4 < buf_size)
+                return -1;
             while (in < buf_size) {
                 int n1, n2;
                 n1 = (buf[in] >> 4) & 0xF;
author	Kostya Shishkov <kostya.shishkov@gmail.com>	2007-09-22 09:21:43 +0000
committer	Kostya Shishkov <kostya.shishkov@gmail.com>	2007-09-22 09:21:43 +0000
commit	a2085a7e9d83d99aca58bfb385f6db1afa5673dd (patch)
tree	320fcfb562dc17362a35293902440bf282f81684
parent	675a0583b42f7eeac145dd0adf6d66d87c2af892 (diff)
download	ffmpeg-a2085a7e9d83d99aca58bfb385f6db1afa5673dd.tar.gz