Browse code
adxenc: check output buffer size before writing
Justin Ruggles authored on 2011/12/20 00:56:18Showing 1 changed files
| ... | ... |
@@ -87,6 +87,9 @@ static int adx_encode_header(AVCodecContext *avctx, uint8_t *buf, int bufsize) |
| 87 | 87 |
{
|
| 88 | 88 |
ADXContext *c = avctx->priv_data; |
| 89 | 89 |
|
| 90 |
+ if (bufsize < HEADER_SIZE) |
|
| 91 |
+ return AVERROR(EINVAL); |
|
| 92 |
+ |
|
| 90 | 93 |
bytestream_put_be16(&buf, 0x8000); /* header signature */ |
| 91 | 94 |
bytestream_put_be16(&buf, HEADER_SIZE - 4); /* copyright offset */ |
| 92 | 95 |
bytestream_put_byte(&buf, 3); /* encoding */ |
| ... | ... |
@@ -140,10 +143,19 @@ static int adx_encode_frame(AVCodecContext *avctx, uint8_t *frame, |
| 140 | 140 |
int ch; |
| 141 | 141 |
|
| 142 | 142 |
if (!c->header_parsed) {
|
| 143 |
- int hdrsize = adx_encode_header(avctx, dst, buf_size); |
|
| 144 |
- dst += hdrsize; |
|
| 143 |
+ int hdrsize; |
|
| 144 |
+ if ((hdrsize = adx_encode_header(avctx, dst, buf_size)) < 0) {
|
|
| 145 |
+ av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n"); |
|
| 146 |
+ return AVERROR(EINVAL); |
|
| 147 |
+ } |
|
| 148 |
+ dst += hdrsize; |
|
| 149 |
+ buf_size -= hdrsize; |
|
| 145 | 150 |
c->header_parsed = 1; |
| 146 | 151 |
} |
| 152 |
+ if (buf_size < BLOCK_SIZE * avctx->channels) {
|
|
| 153 |
+ av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n"); |
|
| 154 |
+ return AVERROR(EINVAL); |
|
| 155 |
+ } |
|
| 147 | 156 |
|
| 148 | 157 |
for (ch = 0; ch < avctx->channels; ch++) {
|
| 149 | 158 |
adx_encode(c, dst, samples + ch, &c->prev[ch], avctx->channels); |