X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fmpc8.c;h=2f6bde3231f74aa8686dce14097bfc16a97b6293;hb=0a23067ab41326dfa1da41d18923ea8547a51ff5;hp=2864b1a01096c46fbf58185c4dbc7830e52d30c5;hpb=80e4fe4063001d0cf468d5f4c7c02ba5b04484b7;p=ffmpeg

diff --git a/libavcodec/mpc8.c b/libavcodec/mpc8.c
index 2864b1a0109..2f6bde3231f 100644
--- a/libavcodec/mpc8.c
+++ b/libavcodec/mpc8.c
@@ -127,6 +127,8 @@ static av_cold int mpc8_decode_init(AVCodecContext * avctx)
 
     skip_bits(&gb, 3);//sample rate
     c->maxbands = get_bits(&gb, 5) + 1;
+    if (c->maxbands >= BANDS)
+        return AVERROR_INVALIDDATA;
     channels = get_bits(&gb, 4) + 1;
     if (channels > 2) {
         av_log_missing_feature(avctx, "Multichannel MPC SV8", 1);
@@ -241,10 +243,16 @@ static int mpc8_decode_frame(AVCodecContext * avctx,
     GetBitContext gb2, *gb = &gb2;
     int i, j, k, ch, cnt, res, t;
     Band *bands = c->bands;
-    int off;
+    int off, out_size;
     int maxband, keyframe;
     int last[2];
 
+    out_size = MPC_FRAME_SIZE * 2 * avctx->channels;
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
     keyframe = c->cur_frame == 0;
 
     if(keyframe){
@@ -260,6 +268,8 @@ static int mpc8_decode_frame(AVCodecContext * avctx,
         maxband = c->last_max_band + get_vlc2(gb, band_vlc.table, MPC8_BANDS_BITS, 2);
         if(maxband > 32) maxband -= 33;
     }
+    if(maxband > c->maxbands)
+        return AVERROR_INVALIDDATA;
     c->last_max_band = maxband;
 
     /* read subband indexes */
@@ -400,19 +410,17 @@ static int mpc8_decode_frame(AVCodecContext * avctx,
     c->last_bits_used = get_bits_count(gb);
     if(c->cur_frame >= c->frames)
         c->cur_frame = 0;
-    *data_size =  MPC_FRAME_SIZE * 2 * avctx->channels;
+    *data_size =  out_size;
 
     return c->cur_frame ? c->last_bits_used >> 3 : buf_size;
 }
 
 AVCodec ff_mpc8_decoder = {
-    "mpc8",
-    AVMEDIA_TYPE_AUDIO,
-    CODEC_ID_MUSEPACK8,
-    sizeof(MPCContext),
-    mpc8_decode_init,
-    NULL,
-    NULL,
-    mpc8_decode_frame,
+    .name           = "mpc8",
+    .type           = AVMEDIA_TYPE_AUDIO,
+    .id             = CODEC_ID_MUSEPACK8,
+    .priv_data_size = sizeof(MPCContext),
+    .init           = mpc8_decode_init,
+    .decode         = mpc8_decode_frame,
     .long_name = NULL_IF_CONFIG_SMALL("Musepack SV8"),
 };