From a8f8db2636cf9f605fbe842d1136a3e1acc3c9b2 Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Wed, 12 Oct 2011 23:15:00 -0400
Subject: truespeech: check for large enough output buffer rather than
 truncating output

---
 libavcodec/truespeech.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

(limited to 'libavcodec/truespeech.c')

diff --git a/libavcodec/truespeech.c b/libavcodec/truespeech.c
index 0ab2cab03c..6f663f30c5 100644
--- a/libavcodec/truespeech.c
+++ b/libavcodec/truespeech.c
@@ -342,14 +342,22 @@ static int truespeech_decode_frame(AVCodecContext *avctx,
     short *samples = data;
     int consumed = 0;
     int16_t out_buf[240];
-    int iterations;
+    int iterations, out_size;
 
-    if (buf_size < 32) {
+    iterations = buf_size / 32;
+
+    if (!iterations) {
         av_log(avctx, AV_LOG_ERROR,
                "Too small input buffer (%d bytes), need at least 32 bytes\n", buf_size);
         return -1;
     }
-    iterations = FFMIN(buf_size / 32, *data_size / 480);
+
+    out_size = iterations * 240 * av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
     for(j = 0; j < iterations; j++) {
         truespeech_read_frame(c, buf + consumed);
         consumed += 32;
@@ -373,7 +381,7 @@ static int truespeech_decode_frame(AVCodecContext *avctx,
 
     }
 
-    *data_size = consumed * 15;
+    *data_size = out_size;
 
     return consumed;
 }
-- 
cgit v1.2.3