From 86962b13f6d26fee398e4f8264e676461da91dfe Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Fri, 28 Oct 2011 18:24:03 -0400
Subject: imc: check output buffer size before decoding

---
 libavcodec/imc.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'libavcodec/imc.c')

diff --git a/libavcodec/imc.c b/libavcodec/imc.c
index 1a3eeaa1ee..db388e383b 100644
--- a/libavcodec/imc.c
+++ b/libavcodec/imc.c
@@ -651,7 +651,7 @@ static int imc_decode_frame(AVCodecContext * avctx,
     IMCContext *q = avctx->priv_data;
 
     int stream_format_code;
-    int imc_hdr, i, j;
+    int imc_hdr, i, j, out_size;
     int flag;
     int bits, summer;
     int counter, bitscount;
@@ -662,6 +662,12 @@ static int imc_decode_frame(AVCodecContext * avctx,
         return -1;
     }
 
+    out_size = COEFFS * av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
     q->dsp.bswap16_buf(buf16, (const uint16_t*)buf, IMC_BLOCK_SIZE / 2);
 
     q->out_samples = data;
@@ -808,7 +814,7 @@ static int imc_decode_frame(AVCodecContext * avctx,
 
     imc_imdct256(q);
 
-    *data_size = COEFFS * sizeof(float);
+    *data_size = out_size;
 
     return IMC_BLOCK_SIZE;
 }
-- 
cgit v1.2.3