From 754ebd1a5b68dd63ccceb50a8a852fe8d0c94354 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Mon, 19 Dec 2011 10:56:18 -0500 Subject: adxenc: check output buffer size before writing --- libavcodec/adxenc.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'libavcodec/adxenc.c') diff --git a/libavcodec/adxenc.c b/libavcodec/adxenc.c index 2664353f9a..20f27981c8 100644 --- a/libavcodec/adxenc.c +++ b/libavcodec/adxenc.c @@ -87,6 +87,9 @@ static int adx_encode_header(AVCodecContext *avctx, uint8_t *buf, int bufsize) { ADXContext *c = avctx->priv_data; + if (bufsize < HEADER_SIZE) + return AVERROR(EINVAL); + bytestream_put_be16(&buf, 0x8000); /* header signature */ bytestream_put_be16(&buf, HEADER_SIZE - 4); /* copyright offset */ bytestream_put_byte(&buf, 3); /* encoding */ @@ -140,10 +143,19 @@ static int adx_encode_frame(AVCodecContext *avctx, uint8_t *frame, int ch; if (!c->header_parsed) { - int hdrsize = adx_encode_header(avctx, dst, buf_size); - dst += hdrsize; + int hdrsize; + if ((hdrsize = adx_encode_header(avctx, dst, buf_size)) < 0) { + av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n"); + return AVERROR(EINVAL); + } + dst += hdrsize; + buf_size -= hdrsize; c->header_parsed = 1; } + if (buf_size < BLOCK_SIZE * avctx->channels) { + av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n"); + return AVERROR(EINVAL); + } for (ch = 0; ch < avctx->channels; ch++) { adx_encode(c, dst, samples + ch, &c->prev[ch], avctx->channels); -- cgit v1.2.3