g722dec: check output buffer size before decoding

a3a85721 · Justin Ruggles · 4e419737 · a3a85721
Commit a3a85721 authored Oct 23, 2011 by Justin Ruggles
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 4 deletions

g722dec.c libavcodec/g722dec.c +10 -4

No files found.
--- a/libavcodec/g722dec.c
+++ b/libavcodec/g722dec.c
@@ -85,11 +85,17 @@ static int g722_decode_frame(AVCodecContext *avctx, void *data,
 {
    G722Context *c = avctx->priv_data;
    int16_t *out_buf = data;
-    int j, out_len = 0;
+    int j, out_len;
    const int skip = 8 - avctx->bits_per_coded_sample;
    const int16_t *quantizer_table = low_inv_quants[skip];
    GetBitContext gb;

+    out_len = avpkt->size * 2 * av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_len) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
    init_get_bits(&gb, avpkt->data, avpkt->size * 8);

    for (j = 0; j < avpkt->size; j++) {
@@ -114,15 +120,15 @@ static int g722_decode_frame(AVCodecContext *avctx, void *data,
        c->prev_samples[c->prev_samples_pos++] = rlow - rhigh;
        ff_g722_apply_qmf(c->prev_samples + c->prev_samples_pos - 24,
                          &xout1, &xout2);
-        out_buf[out_len++] = av_clip_int16(xout1 >> 12);
-        out_buf[out_len++] = av_clip_int16(xout2 >> 12);
+        *out_buf++ = av_clip_int16(xout1 >> 12);
+        *out_buf++ = av_clip_int16(xout2 >> 12);
        if (c->prev_samples_pos >= PREV_SAMPLES_BUF_SIZE) {
            memmove(c->prev_samples, c->prev_samples + c->prev_samples_pos - 22,
                    22 * sizeof(c->prev_samples[0]));
            c->prev_samples_pos = 22;
        }
    }
-    *data_size = out_len << 1;
+    *data_size = out_len;
    return avpkt->size;
 }