From 4a6a29a7fbf023b19797c38a86099d9f81d25524 Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Tue, 27 Sep 2011 17:24:27 -0400
Subject: libopencore-amr: check output buffer size before decoding

---
 libavcodec/libopencore-amr.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

(limited to 'libavcodec/libopencore-amr.c')

diff --git a/libavcodec/libopencore-amr.c b/libavcodec/libopencore-amr.c
index 6c54a1d118..a705975aa9 100644
--- a/libavcodec/libopencore-amr.c
+++ b/libavcodec/libopencore-amr.c
@@ -131,11 +131,17 @@ static int amr_nb_decode_frame(AVCodecContext *avctx, void *data,
     AMRContext *s      = avctx->priv_data;
     static const uint8_t block_size[16] = { 12, 13, 15, 17, 19, 20, 26, 31, 5, 0, 0, 0, 0, 0, 0, 0 };
     enum Mode dec_mode;
-    int packet_size;
+    int packet_size, out_size;
 
     av_dlog(avctx, "amr_decode_frame buf=%p buf_size=%d frame_count=%d!!\n",
             buf, buf_size, avctx->frame_number);
 
+    out_size = 160 * av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
     dec_mode    = (buf[0] >> 3) & 0x000F;
     packet_size = block_size[dec_mode] + 1;
 
@@ -149,7 +155,7 @@ static int amr_nb_decode_frame(AVCodecContext *avctx, void *data,
               packet_size, buf[0], buf[1], buf[2], buf[3]);
     /* call decoder */
     Decoder_Interface_Decode(s->dec_state, buf, data, 0);
-    *data_size = 160 * 2;
+    *data_size = out_size;
 
     return packet_size;
 }
@@ -271,9 +277,15 @@ static int amr_wb_decode_frame(AVCodecContext *avctx, void *data,
     int buf_size       = avpkt->size;
     AMRWBContext *s    = avctx->priv_data;
     int mode;
-    int packet_size;
+    int packet_size, out_size;
     static const uint8_t block_size[16] = {18, 24, 33, 37, 41, 47, 51, 59, 61, 6, 6, 0, 0, 0, 1, 1};
 
+    out_size = 320 * av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
     mode        = (buf[0] >> 3) & 0x000F;
     packet_size = block_size[mode];
 
@@ -284,7 +296,7 @@ static int amr_wb_decode_frame(AVCodecContext *avctx, void *data,
     }
 
     D_IF_decode(s->state, buf, data, _good_frame);
-    *data_size = 320 * 2;
+    *data_size = out_size;
     return packet_size;
 }
 
-- 
cgit v1.2.3