libopencore-amr: check output buffer size before decoding

libavcodec/libopencore-amr.c

@@ -131,11 +131,17 @@ static int amr_nb_decode_frame(AVCodecContext *avctx, void *data,
     AMRContext *s      = avctx->priv_data;
     static const uint8_t block_size[16] = { 12, 13, 15, 17, 19, 20, 26, 31, 5, 0, 0, 0, 0, 0, 0, 0 };
     enum Mode dec_mode;
-    int packet_size;
+    int packet_size, out_size;
 
     av_dlog(avctx, "amr_decode_frame buf=%p buf_size=%d frame_count=%d!!\n",
             buf, buf_size, avctx->frame_number);
 
+    out_size = 160 * av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
     dec_mode    = (buf[0] >> 3) & 0x000F;
     packet_size = block_size[dec_mode] + 1;
 
@@ -149,7 +155,7 @@ static int amr_nb_decode_frame(AVCodecContext *avctx, void *data,
               packet_size, buf[0], buf[1], buf[2], buf[3]);
     /* call decoder */
     Decoder_Interface_Decode(s->dec_state, buf, data, 0);
-    *data_size = 160 * 2;
+    *data_size = out_size;
 
     return packet_size;
 }
@@ -271,9 +277,15 @@ static int amr_wb_decode_frame(AVCodecContext *avctx, void *data,
     int buf_size       = avpkt->size;
     AMRWBContext *s    = avctx->priv_data;
     int mode;
-    int packet_size;
+    int packet_size, out_size;
     static const uint8_t block_size[16] = {18, 24, 33, 37, 41, 47, 51, 59, 61, 6, 6, 0, 0, 0, 1, 1};
 
+    out_size = 320 * av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
     mode        = (buf[0] >> 3) & 0x000F;
     packet_size = block_size[mode];
 
@@ -284,7 +296,7 @@ static int amr_wb_decode_frame(AVCodecContext *avctx, void *data,
     }
 
     D_IF_decode(s->state, buf, data, _good_frame);
-    *data_size = 320 * 2;
+    *data_size = out_size;
     return packet_size;
 }