atrac3: check output buffer size before decoding

7e4881a2 · Justin Ruggles · 6ba7f78b · 7e4881a2
Commit 7e4881a2 authored Oct 14, 2011 by Justin Ruggles
Show whitespace changes
Inline Side-by-side

Showing with 8 additions and 2 deletions

atrac3.c libavcodec/atrac3.c +8 -2

No files found.
--- a/libavcodec/atrac3.c
+++ b/libavcodec/atrac3.c
@@ -827,7 +827,7 @@ static int atrac3_decode_frame(AVCodecContext *avctx,
    const uint8_t *buf = avpkt->data;
    int buf_size = avpkt->size;
    ATRAC3Context *q = avctx->priv_data;
-    int result = 0;
+    int result = 0, out_size;
    const uint8_t* databuf;
    float *samples = data;

@@ -838,6 +838,12 @@ static int atrac3_decode_frame(AVCodecContext *avctx,
        return buf_size;
    }

+    out_size = 1024 * q->channels * av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
    /* Check if we need to descramble and what buffer to pass on. */
    if (q->scrambled_stream) {
        decode_bytes(buf, q->decoded_bytes_buffer, avctx->block_align);
@@ -858,7 +864,7 @@ static int atrac3_decode_frame(AVCodecContext *avctx,
        q->fmt_conv.float_interleave(samples, (const float **)q->outSamples,
                                     1024, 2);
    }
-    *data_size = 1024 * q->channels * av_get_bytes_per_sample(avctx->sample_fmt);
+    *data_size = out_size;

    return avctx->block_align;
 }