Browse code
Check output buffer size in nellymoser decoder.
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 741ec30bd2385f794efa9fafa84d39a917f2574e)
(cherry picked from commit 533dbaa55b7d45d5ca76f9ed46f5690282f86ea9)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Laurent Aimar authored on 2011/09/22 03:46:29Showing 1 changed files
| ... | ... |
@@ -154,6 +154,7 @@ static int decode_tag(AVCodecContext * avctx, |
| 154 | 154 |
void *data, int *data_size, |
| 155 | 155 |
const uint8_t * buf, int buf_size) {
|
| 156 | 156 |
NellyMoserDecodeContext *s = avctx->priv_data; |
| 157 |
+ int data_max = *data_size; |
|
| 157 | 158 |
int blocks, i; |
| 158 | 159 |
int16_t* samples; |
| 159 | 160 |
*data_size = 0; |
| ... | ... |
@@ -177,6 +178,8 @@ static int decode_tag(AVCodecContext * avctx, |
| 177 | 177 |
} |
| 178 | 178 |
|
| 179 | 179 |
for (i=0 ; i<blocks ; i++) {
|
| 180 |
+ if ((i + 1) * NELLY_SAMPLES * sizeof(int16_t) > data_max) |
|
| 181 |
+ return i > 0 ? i * NELLY_BLOCK_LEN : -1; |
|
| 180 | 182 |
nelly_decode_block(s, &buf[i*NELLY_BLOCK_LEN], s->float_buf); |
| 181 | 183 |
s->dsp.float_to_int16(&samples[i*NELLY_SAMPLES], s->float_buf, NELLY_SAMPLES); |
| 182 | 184 |
*data_size += NELLY_SAMPLES*sizeof(int16_t); |