Check output buffer size in nellymoser decoder.
authorLaurent Aimar <fenrir@videolan.org>
Wed, 21 Sep 2011 18:46:29 +0000 (20:46 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Sun, 6 Nov 2011 17:40:19 +0000 (18:40 +0100)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 741ec30bd2385f794efa9fafa84d39a917f2574e)
(cherry picked from commit 533dbaa55b7d45d5ca76f9ed46f5690282f86ea9)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/nellymoserdec.c

index 94e6129..ec35369 100644 (file)
@@ -154,6 +154,7 @@ static int decode_tag(AVCodecContext * avctx,
                       void *data, int *data_size,
                       const uint8_t * buf, int buf_size) {
     NellyMoserDecodeContext *s = avctx->priv_data;
+    int data_max = *data_size;
     int blocks, i;
     int16_t* samples;
     *data_size = 0;
@@ -177,6 +178,8 @@ static int decode_tag(AVCodecContext * avctx,
     }
 
     for (i=0 ; i<blocks ; i++) {
+        if ((i + 1) * NELLY_SAMPLES * sizeof(int16_t) > data_max)
+            return i > 0 ? i * NELLY_BLOCK_LEN : -1;
         nelly_decode_block(s, &buf[i*NELLY_BLOCK_LEN], s->float_buf);
         s->dsp.float_to_int16(&samples[i*NELLY_SAMPLES], s->float_buf, NELLY_SAMPLES);
         *data_size += NELLY_SAMPLES*sizeof(int16_t);