Module: libav Branch: release/0.7 Commit: ce3e0d48f8b6dd90f42fa9157bbd76a573cbf4c7
Author: Justin Ruggles <[email protected]> Committer: Reinhard Tartler <[email protected]> Date: Tue Sep 13 18:53:18 2011 -0400 mpc7: check output buffer size before decoding (cherry picked from commit c8b5c4d27409dfdcec80868686b173ba446c998b) Signed-off-by: Anton Khirnov <[email protected]> --- libavcodec/mpc7.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c index dbfa3c8..8d2c023 100644 --- a/libavcodec/mpc7.c +++ b/libavcodec/mpc7.c @@ -197,7 +197,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, int i, ch; int mb = -1; Band *bands = c->bands; - int off; + int off, out_size; int bits_used, bits_avail; memset(bands, 0, sizeof(bands)); @@ -205,6 +205,12 @@ static int mpc7_decode_frame(AVCodecContext * avctx, av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size); } + out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + bits = av_malloc(((buf_size - 1) & ~3) + FF_INPUT_BUFFER_PADDING_SIZE); c->dsp.bswap_buf((uint32_t*)bits, (const uint32_t*)(buf + 4), (buf_size - 4) >> 2); init_get_bits(&gb, bits, (buf_size - 4)* 8); @@ -277,7 +283,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, *data_size = 0; return buf_size; } - *data_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4; + *data_size = out_size; return buf_size; } _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
