From e938637b2ca7587c2b349458189f1f7d7da87040 Mon Sep 17 00:00:00 2001
From: Kostya Shishkov <kostya.shishkov@gmail.com>
Date: Thu, 13 Sep 2007 05:59:58 +0000
Subject: Add checks on input/output buffers size for some audio decoders

Originally committed as revision 10485 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/ws-snd1.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'libavcodec/ws-snd1.c')

diff --git a/libavcodec/ws-snd1.c b/libavcodec/ws-snd1.c
index 3624909a30..a419e3dfb5 100644
--- a/libavcodec/ws-snd1.c
+++ b/libavcodec/ws-snd1.c
@@ -62,6 +62,14 @@ static int ws_snd_decode_frame(AVCodecContext *avctx,
     in_size = AV_RL16(&buf[2]);
     buf += 4;
 
+    if (out_size > *data_size) {
+        av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n");
+        return -1;
+    }
+    if (in_size > buf_size) {
+        av_log(avctx, AV_LOG_ERROR, "Frame data is larger than input buffer\n");
+        return -1;
+    }
     if (in_size == out_size) {
         for (i = 0; i < out_size; i++)
             *samples++ = (*buf++ - 0x80) << 8;
-- 
cgit v1.2.3