From 494e353179a138b254630f3a208df3aa639d258f Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 3 May 2008 21:01:47 +0000
Subject: Heap buffer overflow.

Originally committed as revision 13051 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/alac.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'libavcodec/alac.c')

diff --git a/libavcodec/alac.c b/libavcodec/alac.c
index 9fbba9544a..c5a9b767c8 100644
--- a/libavcodec/alac.c
+++ b/libavcodec/alac.c
@@ -405,7 +405,7 @@ static int alac_decode_frame(AVCodecContext *avctx,
     ALACContext *alac = avctx->priv_data;
 
     int channels;
-    int32_t outputsamples;
+    unsigned int outputsamples;
     int hassize;
     int readsamplesize;
     int wasted_bytes;
@@ -458,6 +458,10 @@ static int alac_decode_frame(AVCodecContext *avctx,
     if (hassize) {
         /* now read the number of samples as a 32bit integer */
         outputsamples = get_bits(&alac->gb, 32);
+        if(outputsamples > alac->setinfo_max_samples_per_frame){
+            av_log(avctx, AV_LOG_ERROR, "outputsamples %d > %d\n", outputsamples, alac->setinfo_max_samples_per_frame);
+            return -1;
+        }
     } else
         outputsamples = alac->setinfo_max_samples_per_frame;
 
-- 
cgit v1.2.3