Commit e53eecd0 authored by Justin Ruggles's avatar Justin Ruggles

twinvq: check output buffer size before decoding

parent 5ed68178
...@@ -822,7 +822,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, ...@@ -822,7 +822,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data,
const ModeTab *mtab = tctx->mtab; const ModeTab *mtab = tctx->mtab;
float *out = data; float *out = data;
enum FrameType ftype; enum FrameType ftype;
int window_type; int window_type, out_size;
static const enum FrameType wtype_to_ftype_table[] = { static const enum FrameType wtype_to_ftype_table[] = {
FT_LONG, FT_LONG, FT_SHORT, FT_LONG, FT_LONG, FT_LONG, FT_SHORT, FT_LONG,
FT_MEDIUM, FT_LONG, FT_LONG, FT_MEDIUM, FT_MEDIUM FT_MEDIUM, FT_LONG, FT_LONG, FT_MEDIUM, FT_MEDIUM
...@@ -834,6 +834,13 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, ...@@ -834,6 +834,13 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data,
return AVERROR(EINVAL); return AVERROR(EINVAL);
} }
out_size = mtab->size * avctx->channels *
av_get_bytes_per_sample(avctx->sample_fmt);
if (*data_size < out_size) {
av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n");
return AVERROR(EINVAL);
}
init_get_bits(&gb, buf, buf_size * 8); init_get_bits(&gb, buf, buf_size * 8);
skip_bits(&gb, get_bits(&gb, 8)); skip_bits(&gb, get_bits(&gb, 8));
window_type = get_bits(&gb, WINDOW_TYPE_BITS); window_type = get_bits(&gb, WINDOW_TYPE_BITS);
...@@ -856,7 +863,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data, ...@@ -856,7 +863,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data,
return buf_size; return buf_size;
} }
*data_size = mtab->size*avctx->channels*4; *data_size = out_size;
return buf_size; return buf_size;
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment