@@ -76,6 +76,7 @@ do { \

 #define SAMPLES_NEEDED_2(why) \

      av_log (NULL,AV_LOG_INFO,"This file triggers some missing code. Please contact the developers.\nPosition: %s\n",why);

+#define QDM2_MAX_FRAME_SIZE 512

 typedef int8_t sb_int8_array[2][30][64];

@@ -168,7 +169,7 @@ typedef struct {

     /// I/O data

     const uint8_t *compressed_data;

     int compressed_size;

-    float output_buffer[1024];

+    float output_buffer[QDM2_MAX_FRAME_SIZE * MPA_MAX_CHANNELS * 2];

     /// Synthesis filter

     MPADSPContext mpadsp;

@@ -1822,7 +1823,8 @@ static av_cold int qdm2_decode_init(AVCodecContext *avctx)

     // something like max decodable tones

     s->group_order = av_log2(s->group_size) + 1;

     s->frame_size = s->group_size / 16; // 16 iterations per super block

-    if (s->frame_size > FF_ARRAY_ELEMS(s->output_buffer) / 2)

+

+    if (s->frame_size > QDM2_MAX_FRAME_SIZE)

         return AVERROR_INVALIDDATA;

     s->sub_sampling = s->fft_order - 7;

@@ -1893,6 +1895,9 @@ static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out)

     int ch, i;

     const int frame_size = (q->frame_size * q->channels);

+    if((unsigned)frame_size > FF_ARRAY_ELEMS(q->output_buffer)/2)

+        return -1;

+

     /* select input buffer */

     q->compressed_data = in;

     q->compressed_size = q->checksum_size;