From bac6ed4aebb5f25012b3b6293dab7df2767f8401 Mon Sep 17 00:00:00 2001
From: Jai Menon <jmenon86@gmail.com>
Date: Sun, 28 Mar 2010 17:17:48 +0000
Subject: TTA : Check if the output buffer size is within bounds.

Fixes issue 1848.

Originally committed as revision 22711 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/tta.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'libavcodec/tta.c')

diff --git a/libavcodec/tta.c b/libavcodec/tta.c
index 7dd4cc5059..61ac28777c 100644
--- a/libavcodec/tta.c
+++ b/libavcodec/tta.c
@@ -302,6 +302,10 @@ static int tta_decode_frame(AVCodecContext *avctx,
         int cur_chan = 0, framelen = s->frame_length;
         int32_t *p;
 
+        if (*data_size < (framelen * s->channels * 2)) {
+            av_log(avctx, AV_LOG_ERROR,"Output buffer size is too small.\n");
+            return -1;
+        }
         // FIXME: seeking
         s->total_frames--;
         if (!s->total_frames && s->last_frame_length)
-- 
cgit v1.2.3