diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2012-06-02 23:43:31 +0200 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2012-06-07 00:55:25 +0200 |
commit | 3bb942e6f08a081ce3bace7f5e9aa765e3e88b8e (patch) | |
tree | f6b17221cef03bf4c6212896707cb0f5a7a51e9d | |
parent | e863d3306f369c002c24dfda874a18173c5f5889 (diff) | |
download | ffmpeg-3bb942e6f08a081ce3bace7f5e9aa765e3e88b8e.tar.gz |
mpc7: fix handling of last frame
Fixes heap buffer overflow
Fixes ticket1393
Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit e95233789c08f55c0b2d0657bada609629a59294)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r-- | libavcodec/mpc7.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/mpc7.c b/libavcodec/mpc7.c index 14abff470d..0a4582635f 100644 --- a/libavcodec/mpc7.c +++ b/libavcodec/mpc7.c @@ -228,7 +228,7 @@ static int mpc7_decode_frame(AVCodecContext * avctx, void *data, buf_size -= 4; /* get output buffer */ - c->frame.nb_samples = last_frame ? c->lastframelen : MPC_FRAME_SIZE; + c->frame.nb_samples = MPC_FRAME_SIZE; if ((ret = avctx->get_buffer(avctx, &c->frame)) < 0) { av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n"); return ret; @@ -298,6 +298,8 @@ static int mpc7_decode_frame(AVCodecContext * avctx, void *data, idx_to_quant(c, &gb, bands[i].res[ch], c->Q[ch] + off); ff_mpc_dequantize_and_synth(c, mb, c->frame.data[0], 2); + if(last_frame) + c->frame.nb_samples = c->lastframelen; bits_used = get_bits_count(&gb); bits_avail = buf_size * 8; |