From 2137d99086b36b95f589ec19ab3f906d32d31b4a Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 23 Sep 2011 19:56:58 -0400 Subject: vorbisdec: check output buffer size before writing output (cherry picked from commit 60aa1a358d9c1c8f891e72246d5dcd897857eca8) Signed-off-by: Michael Niedermayer --- libavcodec/vorbisdec.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'libavcodec') diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c index 024c8fd3cf..8f16d3a5a5 100644 --- a/libavcodec/vorbisdec.c +++ b/libavcodec/vorbisdec.c @@ -1605,7 +1605,7 @@ static int vorbis_decode_frame(AVCodecContext *avccontext, vorbis_context *vc = avccontext->priv_data ; GetBitContext *gb = &(vc->gb); const float *channel_ptrs[255]; - int i, len; + int i, len, out_size; if (!buf_size) return 0; @@ -1630,6 +1630,13 @@ static int vorbis_decode_frame(AVCodecContext *avccontext, av_dlog(NULL, "parsed %d bytes %d bits, returned %d samples (*ch*bits) \n", get_bits_count(gb) / 8, get_bits_count(gb) % 8, len); + out_size = len * vc->audio_channels * + av_get_bytes_per_sample(avccontext->sample_fmt); + if (*data_size < out_size) { + av_log(avccontext, AV_LOG_ERROR, "output buffer is too small\n"); + return AVERROR(EINVAL); + } + if (vc->audio_channels > 8) { for (i = 0; i < vc->audio_channels; i++) channel_ptrs[i] = vc->channel_floors + i * len; @@ -1645,8 +1652,7 @@ static int vorbis_decode_frame(AVCodecContext *avccontext, vc->fmt_conv.float_to_int16_interleave(data, channel_ptrs, len, vc->audio_channels); - *data_size = len * vc->audio_channels * - av_get_bytes_per_sample(avccontext->sample_fmt); + *data_size = out_size; return buf_size ; } -- cgit v1.2.3