[FFmpeg-cvslog] qdm2: check output buffer size before decoding

Justin Ruggles git at videolan.org
Fri Nov 4 13:22:14 CET 2011


ffmpeg | branch: release/0.8 | Justin Ruggles <justin.ruggles at gmail.com> | Wed Sep 14 13:57:04 2011 -0400| [78eab18740b457bc482845d5f4ec8fe484e0afb3] | committer: Michael Niedermayer

qdm2: check output buffer size before decoding
(cherry picked from commit 7d49f79f1cd47783a963a757a6563b9cac29db62)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=78eab18740b457bc482845d5f4ec8fe484e0afb3
---

 libavcodec/qdm2.c |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavcodec/qdm2.c b/libavcodec/qdm2.c
index 1665c8d..144ce98 100644
--- a/libavcodec/qdm2.c
+++ b/libavcodec/qdm2.c
@@ -1958,13 +1958,20 @@ static int qdm2_decode_frame(AVCodecContext *avctx,
     int buf_size = avpkt->size;
     QDM2Context *s = avctx->priv_data;
     int16_t *out = data;
-    int i;
+    int i, out_size;
 
     if(!buf)
         return 0;
     if(buf_size < s->checksum_size)
         return -1;
 
+    out_size = 16 * s->channels * s->frame_size *
+               av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
     av_log(avctx, AV_LOG_DEBUG, "decode(%d): %p[%d] -> %p[%d]\n",
        buf_size, buf, s->checksum_size, data, *data_size);
 
@@ -1974,7 +1981,7 @@ static int qdm2_decode_frame(AVCodecContext *avctx,
         out += s->channels * s->frame_size;
     }
 
-    *data_size = (uint8_t*)out - (uint8_t*)data;
+    *data_size = out_size;
 
     return s->checksum_size;
 }



More information about the ffmpeg-cvslog mailing list