On Sat, Oct 22, 2011 at 04:32:40PM -0400, Justin Ruggles wrote:
> ---
> libavcodec/vorbisdec.c | 12 +++++++++---
> 1 files changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c
> index 2662a6c..2e91047 100644
> --- a/libavcodec/vorbisdec.c
> +++ b/libavcodec/vorbisdec.c
> @@ -1607,7 +1607,7 @@ static int vorbis_decode_frame(AVCodecContext
> *avccontext,
> vorbis_context *vc = avccontext->priv_data ;
> GetBitContext *gb = &(vc->gb);
> const float *channel_ptrs[255];
> - int i, len;
> + int i, len, out_size;
>
> if (!buf_size)
> return 0;
> @@ -1632,6 +1632,13 @@ static int vorbis_decode_frame(AVCodecContext
> *avccontext,
> av_dlog(NULL, "parsed %d bytes %d bits, returned %d samples (*ch*bits)
> \n",
> get_bits_count(gb) / 8, get_bits_count(gb) % 8, len);
>
> + out_size = len * vc->audio_channels *
> + av_get_bytes_per_sample(avccontext->sample_fmt);
> + if (*data_size < out_size) {
> + av_log(avccontext, AV_LOG_ERROR, "output buffer is too small\n");
> + return AVERROR(EINVAL);
> + }
> +
> if (vc->audio_channels > 8) {
> for (i = 0; i < vc->audio_channels; i++)
> channel_ptrs[i] = vc->channel_floors + i * len;
> @@ -1647,8 +1654,7 @@ static int vorbis_decode_frame(AVCodecContext
> *avccontext,
> vc->fmt_conv.float_to_int16_interleave(data, channel_ptrs, len,
> vc->audio_channels);
>
> - *data_size = len * vc->audio_channels *
> - av_get_bytes_per_sample(avccontext->sample_fmt);
> + *data_size = out_size;
>
> return buf_size ;
> }
lgtm
Janne
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
