ra288: return error if input buffer is too small

[ffmpeg] / libavcodec / mpc8.c

diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c
index 865ffc1b983281192dfebe6cac0dfa40990f0c2f..b38664215b4b0c2f60abe52b8730ee0ae3f40c18 100644 (file)
--- a/libavcodec/mpc8.c
+++ b/libavcodec/mpc8.c
@@ -2,20 +2,20 @@
  * Musepack SV8 decoder
  * Copyright (c) 2007 Konstantin Shishkov
  *
- * This file is part of FFmpeg.
+ * This file is part of Libav.
  *
- * FFmpeg is free software; you can redistribute it and/or
+ * Libav is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
  * License as published by the Free Software Foundation; either
  * version 2.1 of the License, or (at your option) any later version.
  *
- * FFmpeg is distributed in the hope that it will be useful,
+ * Libav is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  * Lesser General Public License for more details.
  *
  * You should have received a copy of the GNU Lesser General Public
- * License along with FFmpeg; if not, write to the Free Software
+ * License along with Libav; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
@@ -29,11 +29,10 @@
 #include "avcodec.h"
 #include "get_bits.h"
 #include "dsputil.h"
-#include "mpegaudio.h"
-#include "libavcore/audioconvert.h"
+#include "mpegaudiodsp.h"
+#include "libavutil/audioconvert.h"
 
 #include "mpc.h"
-#include "mpcdata.h"
 #include "mpc8data.h"
 #include "mpc8huff.h"
 
@@ -120,6 +119,7 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx)
     memset(c->oldDSCF, 0, sizeof(c->oldDSCF));
     av_lfg_init(&c->rnd, 0xDEADBEEF);
     dsputil_init(&c->dsp, avctx);
+    ff_mpadsp_init(&c->mpadsp);
 
     ff_mpc_init();
 
@@ -241,10 +241,16 @@ static int mpc8_decode_frame(AVCodecContext * avctx,
     GetBitContext gb2, *gb = &gb2;
     int i, j, k, ch, cnt, res, t;
     Band *bands = c->bands;
-    int off;
+    int off, out_size;
     int maxband, keyframe;
     int last[2];
 
+    out_size = MPC_FRAME_SIZE * 2 * avctx->channels;
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
     keyframe = c->cur_frame == 0;
 
     if(keyframe){
@@ -260,6 +266,8 @@ static int mpc8_decode_frame(AVCodecContext * avctx,
         maxband = c->last_max_band + get_vlc2(gb, band_vlc.table, MPC8_BANDS_BITS, 2);
         if(maxband > 32) maxband -= 33;
     }
+    if(maxband > c->maxbands)
+        return AVERROR_INVALIDDATA;
     c->last_max_band = maxband;
 
     /* read subband indexes */
@@ -400,19 +408,17 @@ static int mpc8_decode_frame(AVCodecContext * avctx,
     c->last_bits_used = get_bits_count(gb);
     if(c->cur_frame >= c->frames)
         c->cur_frame = 0;
-    *data_size =  MPC_FRAME_SIZE * 2 * avctx->channels;
+    *data_size =  out_size;
 
     return c->cur_frame ? c->last_bits_used >> 3 : buf_size;
 }
 
 AVCodec ff_mpc8_decoder = {
-    "mpc8",
-    AVMEDIA_TYPE_AUDIO,
-    CODEC_ID_MUSEPACK8,
-    sizeof(MPCContext),
-    mpc8_decode_init,
-    NULL,
-    NULL,
-    mpc8_decode_frame,
+    .name           = "mpc8",
+    .type           = AVMEDIA_TYPE_AUDIO,
+    .id             = CODEC_ID_MUSEPACK8,
+    .priv_data_size = sizeof(MPCContext),
+    .init           = mpc8_decode_init,
+    .decode         = mpc8_decode_frame,
     .long_name = NULL_IF_CONFIG_SMALL("Musepack SV8"),
 };