[FFmpeg-cvslog] mpc7: check output buffer size before decoding
Justin Ruggles
git at videolan.org
Sun Nov 6 20:18:55 CET 2011
ffmpeg | branch: release/0.5 | Justin Ruggles <justin.ruggles at gmail.com> | Tue Sep 13 18:53:18 2011 -0400| [8d1fa1c97e1d11614489d2ea746be1a435563dd0] | committer: Michael Niedermayer
mpc7: check output buffer size before decoding
(cherry picked from commit c8b5c4d27409dfdcec80868686b173ba446c998b)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit b833859daa4eb8fe0ec9117859b21a734905b895)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=8d1fa1c97e1d11614489d2ea746be1a435563dd0
---
libavcodec/mpc7.c | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c
index 7077c96..2858255 100644
--- a/libavcodec/mpc7.c
+++ b/libavcodec/mpc7.c
@@ -164,7 +164,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx,
int i, ch, t;
int mb = -1;
Band *bands = c->bands;
- int off;
+ int off, out_size;
int bits_used, bits_avail;
memset(bands, 0, sizeof(bands));
@@ -172,6 +172,12 @@ static int mpc7_decode_frame(AVCodecContext * avctx,
av_log(avctx, AV_LOG_ERROR, "Too small buffer passed (%i bytes)\n", buf_size);
}
+ out_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4;
+ if (*data_size < out_size) {
+ av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
bits = av_malloc(((buf_size - 1) & ~3) + FF_INPUT_BUFFER_PADDING_SIZE);
c->dsp.bswap_buf((uint32_t*)bits, (const uint32_t*)(buf + 4), (buf_size - 4) >> 2);
init_get_bits(&gb, bits, (buf_size - 4)* 8);
@@ -248,7 +254,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx,
*data_size = 0;
return buf_size;
}
- *data_size = (buf[1] ? c->lastframelen : MPC_FRAME_SIZE) * 4;
+ *data_size = out_size;
return buf_size;
}
More information about the ffmpeg-cvslog
mailing list