mirror of
https://git.ffmpeg.org/ffmpeg.git
synced 2025-01-16 20:31:32 +00:00
Guard against output buffer overflows
Originally committed as revision 10548 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
parent
675a0583b4
commit
a2085a7e9d
@ -173,6 +173,10 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
|
|||||||
if (!buf_size)
|
if (!buf_size)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
// almost every DPCM variant expands one byte of data into two
|
||||||
|
if(*data_size/2 < buf_size)
|
||||||
|
return -1;
|
||||||
|
|
||||||
switch(avctx->codec->id) {
|
switch(avctx->codec->id) {
|
||||||
|
|
||||||
case CODEC_ID_ROQ_DPCM:
|
case CODEC_ID_ROQ_DPCM:
|
||||||
@ -256,6 +260,8 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
|
|||||||
case CODEC_ID_SOL_DPCM:
|
case CODEC_ID_SOL_DPCM:
|
||||||
in = 0;
|
in = 0;
|
||||||
if (avctx->codec_tag != 3) {
|
if (avctx->codec_tag != 3) {
|
||||||
|
if(*data_size/4 < buf_size)
|
||||||
|
return -1;
|
||||||
while (in < buf_size) {
|
while (in < buf_size) {
|
||||||
int n1, n2;
|
int n1, n2;
|
||||||
n1 = (buf[in] >> 4) & 0xF;
|
n1 = (buf[in] >> 4) & 0xF;
|
||||||
|
Loading…
Reference in New Issue
Block a user