mpc8: check output buffer size before decoding

(cherry picked from commit 5674d4b0a35a34b75e3533a8580e0b5a0a8895a7) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Justin Ruggles <justin.ruggles@gmail.com> 2011-09-14 11:39:21 -0400
committer: Michael Niedermayer <michaelni@gmx.at> 2011-11-04 00:40:13 +0100
commit: fc8c0ee09f8eb8eab6373e1b4946cb503caa9884 (patch)
tree: 468961f871f74f7b70bef09e1bb42d5eb2f22b8e
parent: 490617b6ffa13f8e49a196a752f927d5ebad6e2b (diff)
download: ffmpeg-fc8c0ee09f8eb8eab6373e1b4946cb503caa9884.tar.gz
1 files changed, 8 insertions, 2 deletions
diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c
index bca57451ca..90bc8c8b96 100644
--- a/libavcodec/mpc8.c
+++ b/libavcodec/mpc8.c
@@ -243,10 +243,16 @@ static int mpc8_decode_frame(AVCodecContext * avctx,
     GetBitContext gb2, *gb = &gb2;
     int i, j, k, ch, cnt, res, t;
     Band *bands = c->bands;
-    int off;
+    int off, out_size;
     int maxband, keyframe;
     int last[2];
 
+    out_size = MPC_FRAME_SIZE * 2 * avctx->channels;
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
     keyframe = c->cur_frame == 0;
 
     if(keyframe){
@@ -404,7 +410,7 @@ static int mpc8_decode_frame(AVCodecContext * avctx,
     c->last_bits_used = get_bits_count(gb);
     if(c->cur_frame >= c->frames)
         c->cur_frame = 0;
-    *data_size =  MPC_FRAME_SIZE * 2 * avctx->channels;
+    *data_size =  out_size;
 
     return c->cur_frame ? c->last_bits_used >> 3 : buf_size;
 }
author	Justin Ruggles <justin.ruggles@gmail.com>	2011-09-14 11:39:21 -0400
committer	Michael Niedermayer <michaelni@gmx.at>	2011-11-04 00:40:13 +0100
commit	fc8c0ee09f8eb8eab6373e1b4946cb503caa9884 (patch)
tree	468961f871f74f7b70bef09e1bb42d5eb2f22b8e
parent	490617b6ffa13f8e49a196a752f927d5ebad6e2b (diff)
download	ffmpeg-fc8c0ee09f8eb8eab6373e1b4946cb503caa9884.tar.gz