Skip to content

F
ffmpeg.wasm-core
Commit 895d258e authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files
Options

qdm2dec: fix buffer overflow. 

Fixes NGS00144

Thanks to Phillip for suggestions to improve the patch.
Found-by: Phillip Langlois
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 919c00ba
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 1 deletion
libavcodec/qdm2.c
View file @ 895d258e
...@@ -170,7 +170,7 @@ typedef struct { ...@@ -170,7 +170,7 @@ typedef struct {
/// I/O data /// I/O data
const uint8_t *compressed_data; const uint8_t *compressed_data;
int compressed_size; int compressed_size;
float output_buffer[QDM2_MAX_FRAME_SIZE * 2]; float output_buffer[QDM2_MAX_FRAME_SIZE * MPA_MAX_CHANNELS * 2];
/// Synthesis filter /// Synthesis filter
MPADSPContext mpadsp; MPADSPContext mpadsp;
...@@ -1896,6 +1896,9 @@ static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out) ...@@ -1896,6 +1896,9 @@ static int qdm2_decode (QDM2Context *q, const uint8_t *in, int16_t *out)
int ch, i; int ch, i;
const int frame_size = (q->frame_size * q->channels); const int frame_size = (q->frame_size * q->channels);
if((unsigned)frame_size > FF_ARRAY_ELEMS(q->output_buffer)/2)
return -1;
/* select input buffer */ /* select input buffer */
q->compressed_data = in; q->compressed_data = in;
q->compressed_size = q->checksum_size; q->compressed_size = q->checksum_size;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment