aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/nellymoserdec.c
diff options
context:
space:
mode:
authorJustin Ruggles <justin.ruggles@gmail.com>2011-09-14 12:16:05 -0400
committerJustin Ruggles <justin.ruggles@gmail.com>2011-10-02 10:19:04 -0400
commit8b31c086b6065084644b86a63c9171f3094cf6ad (patch)
tree3e99f7875f067e78cc001edff6a5d8ead00150df /libavcodec/nellymoserdec.c
parent0e5cc174bb0f0dfb99bd4969bb1d6c20de3d6e7f (diff)
downloadffmpeg-8b31c086b6065084644b86a63c9171f3094cf6ad.tar.gz
nellymoser: check output buffer size before decoding
Diffstat (limited to 'libavcodec/nellymoserdec.c')
-rw-r--r--libavcodec/nellymoserdec.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/libavcodec/nellymoserdec.c b/libavcodec/nellymoserdec.c
index a153dc0603..2856479566 100644
--- a/libavcodec/nellymoserdec.c
+++ b/libavcodec/nellymoserdec.c
@@ -156,19 +156,26 @@ static int decode_tag(AVCodecContext * avctx,
const uint8_t *buf = avpkt->data;
int buf_size = avpkt->size;
NellyMoserDecodeContext *s = avctx->priv_data;
- int blocks, i;
+ int blocks, i, block_size;
int16_t* samples;
- *data_size = 0;
samples = (int16_t*)data;
- if (buf_size < avctx->block_align)
+ if (buf_size < avctx->block_align) {
+ *data_size = 0;
return buf_size;
+ }
if (buf_size % 64) {
av_log(avctx, AV_LOG_ERROR, "Tag size %d.\n", buf_size);
+ *data_size = 0;
return buf_size;
}
- blocks = buf_size / 64;
+ block_size = NELLY_SAMPLES * av_get_bytes_per_sample(avctx->sample_fmt);
+ blocks = FFMIN(buf_size / 64, *data_size / block_size);
+ if (blocks <= 0) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
/* Normal numbers of blocks for sample rates:
* 8000 Hz - 1
* 11025 Hz - 2
@@ -180,8 +187,8 @@ static int decode_tag(AVCodecContext * avctx,
for (i=0 ; i<blocks ; i++) {
nelly_decode_block(s, &buf[i*NELLY_BLOCK_LEN], s->float_buf);
s->fmt_conv.float_to_int16(&samples[i*NELLY_SAMPLES], s->float_buf, NELLY_SAMPLES);
- *data_size += NELLY_SAMPLES*sizeof(int16_t);
}
+ *data_size = blocks * block_size;
return buf_size;
}