From e43dd3d2a8e106169e707484090a2d973ece2184 Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Wed, 14 Sep 2011 13:38:07 -0400
Subject: qcelp: check output buffer size before decoding

---
 libavcodec/qcelpdec.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'libavcodec/qcelpdec.c')

diff --git a/libavcodec/qcelpdec.c b/libavcodec/qcelpdec.c
index 477eaee8c6..a8a65fce06 100644
--- a/libavcodec/qcelpdec.c
+++ b/libavcodec/qcelpdec.c
@@ -738,11 +738,17 @@ static int qcelp_decode_frame(AVCodecContext *avctx, void *data, int *data_size,
     int buf_size = avpkt->size;
     QCELPContext *q = avctx->priv_data;
     float *outbuffer = data;
-    int   i;
+    int   i, out_size;
     float quantized_lspf[10], lpc[10];
     float gain[16];
     float *formant_mem;
 
+    out_size = 160 * av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
     if((q->bitrate = determine_bitrate(avctx, buf_size, &buf)) == I_F_Q)
     {
         warn_insufficient_frame_quality(avctx, "bitrate cannot be determined.");
@@ -837,7 +843,7 @@ erasure:
     memcpy(q->prev_lspf, quantized_lspf, sizeof(q->prev_lspf));
     q->prev_bitrate = q->bitrate;
 
-    *data_size = 160 * sizeof(*outbuffer);
+    *data_size = out_size;
 
     return buf_size;
 }
-- 
cgit v1.2.3