From a3a8572165ce636fb011b78764a2584777f81b95 Mon Sep 17 00:00:00 2001 From: Justin Ruggles Date: Sun, 23 Oct 2011 13:00:33 -0400 Subject: g722dec: check output buffer size before decoding --- libavcodec/g722dec.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'libavcodec/g722dec.c') diff --git a/libavcodec/g722dec.c b/libavcodec/g722dec.c index 9330fea3ce..2be47159a4 100644 --- a/libavcodec/g722dec.c +++ b/libavcodec/g722dec.c @@ -85,11 +85,17 @@ static int g722_decode_frame(AVCodecContext *avctx, void *data, { G722Context *c = avctx->priv_data; int16_t *out_buf = data; - int j, out_len = 0; + int j, out_len; const int skip = 8 - avctx->bits_per_coded_sample; const int16_t *quantizer_table = low_inv_quants[skip]; GetBitContext gb; + out_len = avpkt->size * 2 * av_get_bytes_per_sample(avctx->sample_fmt); + if (*data_size < out_len) { + av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n"); + return AVERROR(EINVAL); + } + init_get_bits(&gb, avpkt->data, avpkt->size * 8); for (j = 0; j < avpkt->size; j++) { @@ -114,15 +120,15 @@ static int g722_decode_frame(AVCodecContext *avctx, void *data, c->prev_samples[c->prev_samples_pos++] = rlow - rhigh; ff_g722_apply_qmf(c->prev_samples + c->prev_samples_pos - 24, &xout1, &xout2); - out_buf[out_len++] = av_clip_int16(xout1 >> 12); - out_buf[out_len++] = av_clip_int16(xout2 >> 12); + *out_buf++ = av_clip_int16(xout1 >> 12); + *out_buf++ = av_clip_int16(xout2 >> 12); if (c->prev_samples_pos >= PREV_SAMPLES_BUF_SIZE) { memmove(c->prev_samples, c->prev_samples + c->prev_samples_pos - 22, 22 * sizeof(c->prev_samples[0])); c->prev_samples_pos = 22; } } - *data_size = out_len << 1; + *data_size = out_len; return avpkt->size; } -- cgit v1.2.3