diff options
| author | Justin Ruggles <justin.ruggles@gmail.com> | 2011-09-13 18:53:18 -0400 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-11-06 19:49:12 +0100 |
| commit | 8d1fa1c97e1d11614489d2ea746be1a435563dd0 (patch) | |
| tree | 392dd6d9e7b799b42420527598f803b435c58778 /libavcodec | |
| parent | 2eb5f77bc8ac0b533e3d305bf6dbe54186471465 (diff) | |
| download | ffmpeg-8d1fa1c97e1d11614489d2ea746be1a435563dd0.tar.gz | |
mpc7: check output buffer size before decoding
(cherry picked from commit c8b5c4d27409dfdcec80868686b173ba446c998b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b833859daa4eb8fe0ec9117859b21a734905b895)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/mpc7.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c index 7077c96fc2..2858255152 100644 --- a/libavcodec/mpc7.c +++ b/libavcodec/mpc7.c @@ -164,7 +164,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, int i, ch, t; int mb = -1; Band *bands = c->bands; - int off; + int off, out_size; int bits_used, bits_avail; memset(bands, 0, sizeof(bands)); @@ -172,6 +172,12 @@ static int mpc7_decode_frame(AVCodecContext * avctx, av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size); } + out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + bits = av_malloc(((buf_size - 1) & ~3) + FF_INPUT_BUFFER_PADDING_SIZE); c->dsp.bswap_buf((uint32_t*)bits, (const uint32_t*)(buf + 4), (buf_size - 4) >> 2); init_get_bits(&gb, bits, (buf_size - 4)* 8); @@ -248,7 +254,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, *data_size = 0; return buf_size; } - *data_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; + *data_size = out_size; return buf_size; } |