dpcm: Round output buffer size up.

Fixes: CVE-2011-3951 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

dpcm: Round output buffer size up.
Fixes: CVE-2011-3951 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
92115bb6 · Michael Niedermayer · ddf0c1d8 · 92115bb6
Commit 92115bb6 authored Jan 26, 2012 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

dpcm.c libavcodec/dpcm.c +4 -1

No files found.
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -205,9 +205,12 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
        av_log(avctx, AV_LOG_ERROR, "packet is too small\n");
        return AVERROR(EINVAL);
    }
+    if (out % s->channels) {
+        av_log(avctx, AV_LOG_WARNING, "channels have differing number of samples\n");
+    }

    /* get output buffer */
-    s->frame.nb_samples = out / s->channels;
+    s->frame.nb_samples = (out + s->channels - 1) / s->channels;
    if ((ret = avctx->get_buffer(avctx, &s->frame)) < 0) {
        av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
        return ret;