Browse code
mpc7: fix handling of last frame
Fixes heap buffer overflow
Fixes ticket1393
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e95233789c08f55c0b2d0657bada609629a59294)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2012/06/03 06:43:31Showing 1 changed files
| ... | ... |
@@ -228,7 +228,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, void *data, |
| 228 | 228 |
buf_size -= 4; |
| 229 | 229 |
|
| 230 | 230 |
/* get output buffer */ |
| 231 |
- c->frame.nb_samples = last_frame ? c->lastframelen : MPC_FRAME_SIZE; |
|
| 231 |
+ c->frame.nb_samples = MPC_FRAME_SIZE; |
|
| 232 | 232 |
if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) {
|
| 233 | 233 |
av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); |
| 234 | 234 |
return ret; |
| ... | ... |
@@ -298,6 +298,8 @@ static int mpc7_decode_frame(AVCodecContext * avctx, void *data, |
| 298 | 298 |
idx_to_quant(c, &gb, bands[i].res[ch], c->Q[ch] + off); |
| 299 | 299 |
|
| 300 | 300 |
ff_mpc_dequantize_and_synth(c, mb, c->frame.data[0], 2); |
| 301 |
+ if(last_frame) |
|
| 302 |
+ c->frame.nb_samples = c->lastframelen; |
|
| 301 | 303 |
|
| 302 | 304 |
bits_used = get_bits_count(&gb); |
| 303 | 305 |
bits_avail = buf_size * 8; |