[FFmpeg-cvslog] twinvq: check output buffer size before decoding

Justin Ruggles git at videolan.org
Sun Oct 23 05:53:11 CEST 2011


ffmpeg | branch: master | Justin Ruggles <justin.ruggles at gmail.com> | Fri Sep 23 19:50:41 2011 -0400| [e53eecd0e7211973a1a9757f559bdd93a1848901] | committer: Justin Ruggles

twinvq: check output buffer size before decoding

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e53eecd0e7211973a1a9757f559bdd93a1848901
---

 libavcodec/twinvq.c |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavcodec/twinvq.c b/libavcodec/twinvq.c
index 1c800ee..c7ce11d 100644
--- a/libavcodec/twinvq.c
+++ b/libavcodec/twinvq.c
@@ -822,7 +822,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data,
     const ModeTab *mtab = tctx->mtab;
     float *out = data;
     enum FrameType ftype;
-    int window_type;
+    int window_type, out_size;
     static const enum FrameType wtype_to_ftype_table[] = {
         FT_LONG,   FT_LONG, FT_SHORT, FT_LONG,
         FT_MEDIUM, FT_LONG, FT_LONG,  FT_MEDIUM, FT_MEDIUM
@@ -834,6 +834,13 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data,
         return AVERROR(EINVAL);
     }
 
+    out_size = mtab->size * avctx->channels *
+               av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
     init_get_bits(&gb, buf, buf_size * 8);
     skip_bits(&gb, get_bits(&gb, 8));
     window_type = get_bits(&gb, WINDOW_TYPE_BITS);
@@ -856,7 +863,7 @@ static int twin_decode_frame(AVCodecContext * avctx, void *data,
         return buf_size;
     }
 
-    *data_size = mtab->size*avctx->channels*4;
+    *data_size = out_size;
 
     return buf_size;
 }



More information about the ffmpeg-cvslog mailing list