mmal/codec: Check picture buffer size before usage

We need to make sure that a buffer is big enough to store the amount of data
we expect to receive from the decoder. Without doing this memory could be
corrupted due to the decoder writing outside the allocate memory.

Signed-off-by: Julian Scheel <julian@jusst.de>
Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org>

diff --git a/modules/hw/mmal/codec.c b/modules/hw/mmal/codec.c
index d2424eaad8c2f82cf29c270dbcc363b8b4019f40..2e7a0d0c16c94c71a385e1d91ee9e5c4301755db 100644 (file)
--- a/modules/hw/mmal/codec.c
+++ b/modules/hw/mmal/codec.c
@@ -373,6 +373,7 @@ static int send_output_buffer(decoder_t *dec)
     MMAL_BUFFER_HEADER_T *buffer;
     picture_t *picture;
     MMAL_STATUS_T status;
+    int buffer_size = 0;
     int ret = 0;
 
     buffer = mmal_queue_get(sys->output_pool->queue);
@@ -390,6 +391,16 @@ static int send_output_buffer(decoder_t *dec)
         goto out;
     }
 
+    for (int i = 0; i < picture->i_planes; i++)
+        buffer_size += picture->p[i].i_lines * picture->p[i].i_pitch;
+
+    if (buffer_size < sys->output->buffer_size) {
+        msg_Err(dec, "Retrieved picture with too small data block (%d < %d)",
+                buffer_size, sys->output->buffer_size);
+        ret = VLC_EGENERIC;
+        goto out;
+    }
+
     mmal_buffer_header_reset(buffer);
     buffer->user_data = picture;
     buffer->cmd = 0;