Guard against output buffer overflows

Originally committed as revision 10548 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Kostya Shishkov 2007-09-22 09:21:43 +00:00
parent 675a0583b4
commit a2085a7e9d

View File

@ -173,6 +173,10 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
if (!buf_size) if (!buf_size)
return 0; return 0;
// almost every DPCM variant expands one byte of data into two
if(*data_size/2 < buf_size)
return -1;
switch(avctx->codec->id) { switch(avctx->codec->id) {
case CODEC_ID_ROQ_DPCM: case CODEC_ID_ROQ_DPCM:
@ -256,6 +260,8 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
case CODEC_ID_SOL_DPCM: case CODEC_ID_SOL_DPCM:
in = 0; in = 0;
if (avctx->codec_tag != 3) { if (avctx->codec_tag != 3) {
if(*data_size/4 < buf_size)
return -1;
while (in < buf_size) { while (in < buf_size) {
int n1, n2; int n1, n2;
n1 = (buf[in] >> 4) & 0xF; n1 = (buf[in] >> 4) & 0xF;