From 362aba4be71f2d5d6c85f7bf8dd800faf5c1069f Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 11 Jul 2008 19:45:52 +0000 Subject: [PATCH] Check that we have enough output space available. Originally committed as revision 14170 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/wmadec.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/wmadec.c b/libavcodec/wmadec.c index 361a73d273..0b46fe0884 100644 --- a/libavcodec/wmadec.c +++ b/libavcodec/wmadec.c @@ -781,6 +781,11 @@ static int wma_decode_superframe(AVCodecContext *avctx, skip_bits(&s->gb, 4); /* super frame index */ nb_frames = get_bits(&s->gb, 4) - 1; + if((nb_frames+1) * s->nb_channels * s->frame_len * sizeof(int16_t) > *data_size){ + av_log(s->avctx, AV_LOG_ERROR, "Insufficient output space\n"); + goto fail; + } + bit_offset = get_bits(&s->gb, s->byte_offset_bits + 3); if (s->last_superframe_len > 0) { @@ -836,6 +841,10 @@ static int wma_decode_superframe(AVCodecContext *avctx, s->last_superframe_len = len; memcpy(s->last_superframe, buf + pos, len); } else { + if(s->nb_channels * s->frame_len * sizeof(int16_t) > *data_size){ + av_log(s->avctx, AV_LOG_ERROR, "Insufficient output space\n"); + goto fail; + } /* single frame decode */ if (wma_decode_frame(s, samples) < 0) goto fail;