diff options
| author | Justin Ruggles <justin.ruggles@gmail.com> | 2011-09-24 03:50:41 +0400 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2011-11-04 06:18:52 +0400 |
| commit | e9de2d98a904aa6f13fd07cb776850569e110f22 (patch) | |
| tree | e5721631036c9747265f0cab93bdd91fe1579ec8 /libavcodec | |
| parent | 93f1159af5221e23c749be8fa0d3df3ef7a93fd0 (diff) | |
twinvq: check output buffer size before decoding
(cherry picked from commit e53eecd0e7211973a1a9757f559bdd93a1848901)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/twinvq.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c index f8e75bb933..7be13bcf0c 100644 --- a/libavcodec/twinvq.c +++ b/libavcodec/twinvq.c @@ -822,7 +822,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, const ModeTab *mtab = tctx->mtab; float *out = data; enum FrameType ftype; - int window_type; + int window_type, out_size; static const enum FrameType wtype_to_ftype_table[] = { FT_LONG, FT_LONG, FT_SHORT, FT_LONG, FT_MEDIUM, FT_LONG, FT_LONG, FT_MEDIUM, FT_MEDIUM @@ -835,6 +835,13 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, return buf_size; } + out_size = mtab->size * avctx->channels * + av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n"); + return AVERROR(EINVAL); + } + init_get_bits(&gb, buf, buf_size * 8); skip_bits(&gb, get_bits(&gb, 8)); window_type = get_bits(&gb, WINDOW_TYPE_BITS); @@ -857,7 +864,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, return buf_size; } - *data_size = mtab->size*avctx->channels*4; + *data_size = out_size; return buf_size; } |