From 7e4881a2d074a7dfba7ee1990b3e17c9276f985d Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Fri, 14 Oct 2011 17:09:58 -0400 Subject: atrac3: check output buffer size before decoding --- libavcodec/atrac3.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'libavcodec/atrac3.c') diff --git a/libavcodec/atrac3.c b/libavcodec/atrac3.c index 8bd6adffd1..6828ff054e 100644 --- a/libavcodec/atrac3.c +++ b/libavcodec/atrac3.c @@ -827,7 +827,7 @@ static int atrac3_decode_frame(AVCodecContext *avctx, const uint8_t *buf = avpkt->data; int buf_size = avpkt->size; ATRAC3Context *q = avctx->priv_data; - int result = 0; + int result = 0, out_size; const uint8_t* databuf; float *samples = data; @@ -838,6 +838,12 @@ static int atrac3_decode_frame(AVCodecContext *avctx, return buf_size; } + out_size = 1024 * q->channels * av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_size) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + /* Check if we need to descramble and what buffer to pass on. */ if (q->scrambled_stream) { decode_bytes(buf, q->decoded_bytes_buffer, avctx->block_align); @@ -858,7 +864,7 @@ static int atrac3_decode_frame(AVCodecContext *avctx, q->fmt_conv.float_interleave(samples, (const float **)q->outSamples, 1024, 2); } - *data_size = 1024 * q->channels * av_get_bytes_per_sample(avctx->sample_fmt); + *data_size = out_size; return avctx->block_align; } -- cgit v1.2.3