[FFmpeg-cvslog] vorbisdec: check output buffer size before writing output
Justin Ruggles
git at videolan.org
Fri Nov 4 20:49:28 CET 2011
ffmpeg | branch: release/0.7 | Justin Ruggles <justin.ruggles at gmail.com> | Fri Sep 23 19:56:58 2011 -0400| [2137d99086b36b95f589ec19ab3f906d32d31b4a] | committer: Michael Niedermayer
vorbisdec: check output buffer size before writing output
(cherry picked from commit 60aa1a358d9c1c8f891e72246d5dcd897857eca8)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2137d99086b36b95f589ec19ab3f906d32d31b4a
---
libavcodec/vorbisdec.c | 12 +++++++++---
1 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/libavcodec/vorbisdec.c b/libavcodec/vorbisdec.c
index 024c8fd..8f16d3a 100644
--- a/libavcodec/vorbisdec.c
+++ b/libavcodec/vorbisdec.c
@@ -1605,7 +1605,7 @@ static int vorbis_decode_frame(AVCodecContext *avccontext,
vorbis_context *vc = avccontext->priv_data ;
GetBitContext *gb = &(vc->gb);
const float *channel_ptrs[255];
- int i, len;
+ int i, len, out_size;
if (!buf_size)
return 0;
@@ -1630,6 +1630,13 @@ static int vorbis_decode_frame(AVCodecContext *avccontext,
av_dlog(NULL, "parsed %d bytes %d bits, returned %d samples (*ch*bits) \n",
get_bits_count(gb) / 8, get_bits_count(gb) % 8, len);
+ out_size = len * vc->audio_channels *
+ av_get_bytes_per_sample(avccontext->sample_fmt);
+ if (*data_size < out_size) {
+ av_log(avccontext, AV_LOG_ERROR, "output buffer is too small\n");
+ return AVERROR(EINVAL);
+ }
+
if (vc->audio_channels > 8) {
for (i = 0; i < vc->audio_channels; i++)
channel_ptrs[i] = vc->channel_floors + i * len;
@@ -1645,8 +1652,7 @@ static int vorbis_decode_frame(AVCodecContext *avccontext,
vc->fmt_conv.float_to_int16_interleave(data, channel_ptrs, len,
vc->audio_channels);
- *data_size = len * vc->audio_channels *
- av_get_bytes_per_sample(avccontext->sample_fmt);
+ *data_size = out_size;
return buf_size ;
}
More information about the ffmpeg-cvslog
mailing list