Browse code
atrac3: check output buffer size before decoding
Justin Ruggles authored on 2011/10/15 06:09:58Showing 1 changed files
| ... | ... |
@@ -827,7 +827,7 @@ static int atrac3_decode_frame(AVCodecContext *avctx, |
| 827 | 827 |
const uint8_t *buf = avpkt->data; |
| 828 | 828 |
int buf_size = avpkt->size; |
| 829 | 829 |
ATRAC3Context *q = avctx->priv_data; |
| 830 |
- int result = 0; |
|
| 830 |
+ int result = 0, out_size; |
|
| 831 | 831 |
const uint8_t* databuf; |
| 832 | 832 |
float *samples = data; |
| 833 | 833 |
|
| ... | ... |
@@ -838,6 +838,12 @@ static int atrac3_decode_frame(AVCodecContext *avctx, |
| 838 | 838 |
return buf_size; |
| 839 | 839 |
} |
| 840 | 840 |
|
| 841 |
+ out_size = 1024 * q->channels * av_get_bytes_per_sample(avctx->sample_fmt); |
|
| 842 |
+ if (*data_size < out_size) {
|
|
| 843 |
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); |
|
| 844 |
+ return AVERROR(EINVAL); |
|
| 845 |
+ } |
|
| 846 |
+ |
|
| 841 | 847 |
/* Check if we need to descramble and what buffer to pass on. */ |
| 842 | 848 |
if (q->scrambled_stream) {
|
| 843 | 849 |
decode_bytes(buf, q->decoded_bytes_buffer, avctx->block_align); |
| ... | ... |
@@ -858,7 +864,7 @@ static int atrac3_decode_frame(AVCodecContext *avctx, |
| 858 | 858 |
q->fmt_conv.float_interleave(samples, (const float **)q->outSamples, |
| 859 | 859 |
1024, 2); |
| 860 | 860 |
} |
| 861 |
- *data_size = 1024 * q->channels * av_get_bytes_per_sample(avctx->sample_fmt); |
|
| 861 |
+ *data_size = out_size; |
|
| 862 | 862 |
|
| 863 | 863 |
return avctx->block_align; |
| 864 | 864 |
} |