dpcm: Round output buffer size up.

Fixes: CVE-2011-3951 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-01-26 17:04:51 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2012-01-26 17:05:57 +0100
commit: 92115bb685914cbfeb02fed26d5acd50dea03d7e (patch)
tree: da13fdaa1e89e3524811ff9061ab4e9ea0c55c56 /libavcodec/dpcm.c
parent: ddf0c1d86ad8e1df5ab3265206aef493a1bdc813 (diff)
download: ffmpeg-92115bb685914cbfeb02fed26d5acd50dea03d7e.tar.gz
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c
index 929458a22b..8240221076 100644
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -205,9 +205,12 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
         av_log(avctx, AV_LOG_ERROR, "packet is too small\n");
         return AVERROR(EINVAL);
     }
+    if (out % s->channels) {
+        av_log(avctx, AV_LOG_WARNING, "channels have differing number of samples\n");
+    }
 
     /* get output buffer */
-    s->frame.nb_samples = out / s->channels;
+    s->frame.nb_samples = (out + s->channels - 1) / s->channels;
     if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
author	Michael Niedermayer <michaelni@gmx.at>	2012-01-26 17:04:51 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2012-01-26 17:05:57 +0100
commit	92115bb685914cbfeb02fed26d5acd50dea03d7e (patch)
tree	da13fdaa1e89e3524811ff9061ab4e9ea0c55c56 /libavcodec/dpcm.c
parent	ddf0c1d86ad8e1df5ab3265206aef493a1bdc813 (diff)
download	ffmpeg-92115bb685914cbfeb02fed26d5acd50dea03d7e.tar.gz