mpc7: check output buffer size before decoding

c8b5c4d2 · Justin Ruggles · fac6b7f9 · c8b5c4d2
Commit c8b5c4d2 authored Sep 13, 2011 by Justin Ruggles
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 2 deletions

mpc7.c libavcodec/mpc7.c +8 -2

No files found.
--- a/libavcodec/mpc7.c
+++ b/libavcodec/mpc7.c
@@ -197,7 +197,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx,
    int i, ch;
    int mb = -1;
    Band *bands = c->bands;
-    int off;
+    int off, out_size;
    int bits_used, bits_avail;
    memset(bands, 0, sizeof(bands));
@@ -205,6 +205,12 @@ static int mpc7_decode_frame(AVCodecContext * avctx,
        av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size);
    }
+    out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4;
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
    bits = av_malloc(((buf_size - 1) & ~3) + FF_INPUT_BUFFER_PADDING_SIZE);
    c->dsp.bswap_buf((uint32_t*)bits, (const uint32_t*)(buf + 4), (buf_size - 4) >> 2);
    init_get_bits(&gb, bits, (buf_size - 4)* 8);
@@ -277,7 +283,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx,
        *data_size = 0;
        return buf_size;
    }
-    *data_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4;
+    *data_size = out_size;
    return buf_size;
 }