diff options
| author | Justin Ruggles <justin.ruggles@gmail.com> | 2011-09-24 03:56:58 +0400 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-11-04 06:18:52 +0400 |
| commit | 2137d99086b36b95f589ec19ab3f906d32d31b4a (patch) | |
| tree | c4ea8335a341d9bbe0805cdecf6e11db4012a296 /libavcodec | |
| parent | e9de2d98a904aa6f13fd07cb776850569e110f22 (diff) | |
vorbisdec: check output buffer size before writing output
(cherry picked from commit 60aa1a358d9c1c8f891e72246d5dcd897857eca8)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/vorbisdec.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 024c8fd3cf..8f16d3a5a5 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1605,7 +1605,7 @@ static int vorbis_decode_frame(AVCodecContext *avccontext, vorbis_context *vc = avccontext->priv_data ; GetBitContext *gb = &(vc->gb); const float *channel_ptrs[255]; - int i, len; + int i, len, out_size; if (!buf_size) return 0; @@ -1630,6 +1630,13 @@ static int vorbis_decode_frame(AVCodecContext *avccontext, av_dlog(NULL, "parsed %d bytes %d bits, returned %d samples (*ch*bits) \n", get_bits_count(gb) / 8, get_bits_count(gb) % 8, len); + out_size = len * vc->audio_channels * + av_get_bytes_per_sample(avccontext->sample_fmt); + if (*data_size < out_size) { + av_log(avccontext, AV_LOG_ERROR, "output buffer is too small\n"); + return AVERROR(EINVAL); + } + if (vc->audio_channels > 8) { for (i = 0; i < vc->audio_channels; i++) channel_ptrs[i] = vc->channel_floors + i * len; @@ -1645,8 +1652,7 @@ static int vorbis_decode_frame(AVCodecContext *avccontext, vc->fmt_conv.float_to_int16_interleave(data, channel_ptrs, len, vc->audio_channels); - *data_size = len * vc->audio_channels * - av_get_bytes_per_sample(avccontext->sample_fmt); + *data_size = out_size; return buf_size ; } |