Browse code
mpc7: check output buffer size before decoding (cherry picked from commit c8b5c4d27409dfdcec80868686b173ba446c998b)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit b833859daa4eb8fe0ec9117859b21a734905b895)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Justin Ruggles authored on 2011/09/14 07:53:18Showing 1 changed files
| ... | ... |
@@ -164,7 +164,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, |
| 164 | 164 |
int i, ch, t; |
| 165 | 165 |
int mb = -1; |
| 166 | 166 |
Band *bands = c->bands; |
| 167 |
- int off; |
|
| 167 |
+ int off, out_size; |
|
| 168 | 168 |
int bits_used, bits_avail; |
| 169 | 169 |
|
| 170 | 170 |
memset(bands, 0, sizeof(bands)); |
| ... | ... |
@@ -172,6 +172,12 @@ static int mpc7_decode_frame(AVCodecContext * avctx, |
| 172 | 172 |
av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size); |
| 173 | 173 |
} |
| 174 | 174 |
|
| 175 |
+ out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; |
|
| 176 |
+ if (*data_size < out_size) {
|
|
| 177 |
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); |
|
| 178 |
+ return AVERROR(EINVAL); |
|
| 179 |
+ } |
|
| 180 |
+ |
|
| 175 | 181 |
bits = av_malloc(((buf_size - 1) & ~3) + FF_INPUT_BUFFER_PADDING_SIZE); |
| 176 | 182 |
c->dsp.bswap_buf((uint32_t*)bits, (const uint32_t*)(buf + 4), (buf_size - 4) >> 2); |
| 177 | 183 |
init_get_bits(&gb, bits, (buf_size - 4)* 8); |
| ... | ... |
@@ -248,7 +254,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, |
| 248 | 248 |
*data_size = 0; |
| 249 | 249 |
return buf_size; |
| 250 | 250 |
} |
| 251 |
- *data_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; |
|
| 251 |
+ *data_size = out_size; |
|
| 252 | 252 |
|
| 253 | 253 |
return buf_size; |
| 254 | 254 |
} |