diff options
| author | Justin Ruggles <justin.ruggles@gmail.com> | 2011-09-14 13:57:04 -0400 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2011-12-04 08:55:55 +0100 |
| commit | 73472053516f82b7d273a3d42c583f894077a191 (patch) | |
| tree | 815649fad37d14c759c477404c67d71ca1eb8d46 /libavcodec | |
| parent | 0d93d5c4614fafea74bdac681673f5b32eb49063 (diff) | |
| download | ffmpeg-73472053516f82b7d273a3d42c583f894077a191.tar.gz | |
qdm2: check output buffer size before decoding
(cherry picked from commit 7d49f79f1cd47783a963a757a6563b9cac29db62)
Signed-off-by: Reinhard Tartler <siretart@tauware.de>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/qdm2.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c index d1619ef131..7e7051fc6d 100644 --- a/libavcodec/qdm2.c +++ b/libavcodec/qdm2.c @@ -1959,13 +1959,20 @@ static int qdm2_decode_frame(AVCodecContext *avctx, int buf_size = avpkt->size; QDM2Context *s = avctx->priv_data; int16_t *out = data; - int i; + int i, out_size; if(!buf) return 0; if(buf_size < s->checksum_size) return -1; + out_size = 16 * s->channels * s->frame_size * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + av_log(avctx, AV_LOG_DEBUG, "decode(%d): %p[%d] -> %p[%d]\n", buf_size, buf, s->checksum_size, data, *data_size); @@ -1975,7 +1982,7 @@ static int qdm2_decode_frame(AVCodecContext *avctx, out += s->channels * s->frame_size; } - *data_size = (uint8_t*)out - (uint8_t*)data; + *data_size = out_size; return s->checksum_size; } |