From 882dafe9b666a7333d1b256fafe63e35dc582e3f Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Fri, 16 Sep 2011 18:01:28 -0400
Subject: shorten: check output buffer size before decoding

---
 libavcodec/shorten.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'libavcodec/shorten.c')

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index ec50fc1c6e..803175827d 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -550,9 +550,15 @@ static int shorten_decode_frame(AVCodecContext *avctx,
             /* if this is the last channel in the block, output the samples */
             s->cur_chan++;
             if (s->cur_chan == s->channels) {
+                int out_size = s->blocksize * s->channels *
+                               av_get_bytes_per_sample(avctx->sample_fmt);
+                if (*data_size < out_size) {
+                    av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+                    return AVERROR(EINVAL);
+                }
                 samples = interleave_buffer(samples, s->channels, s->blocksize, s->decoded);
                 s->cur_chan = 0;
-                *data_size = (int8_t *)samples - (int8_t *)data;
+                *data_size = out_size;
             } else {
                 *data_size = 0;
             }
-- 
cgit v1.2.3