From 5674d4b0a35a34b75e3533a8580e0b5a0a8895a7 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Wed, 14 Sep 2011 11:39:21 -0400 Subject: [PATCH] mpc8: check output buffer size before decoding --- libavcodec/mpc8.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c index 0e3947b031..a126fc8a8f 100644 --- a/libavcodec/mpc8.c +++ b/libavcodec/mpc8.c @@ -241,10 +241,16 @@ static int mpc8_decode_frame(AVCodecContext * avctx, GetBitContext gb2, *gb = &gb2; int i, j, k, ch, cnt, res, t; Band *bands = c->bands; - int off; + int off, out_size; int maxband, keyframe; int last[2]; + out_size = MPC_FRAME_SIZE * 2 * avctx->channels; + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + keyframe = c->cur_frame == 0; if(keyframe){ @@ -400,7 +406,7 @@ static int mpc8_decode_frame(AVCodecContext * avctx, c->last_bits_used = get_bits_count(gb); if(c->cur_frame >= c->frames) c->cur_frame = 0; - *data_size = MPC_FRAME_SIZE * 2 * avctx->channels; + *data_size = out_size; return c->cur_frame ? c->last_bits_used >> 3 : buf_size; }