From 58bb21c463dfdb956e1a6811d345c556c9d95b17 Mon Sep 17 00:00:00 2001
From: Vincent Penquerc'h <vincent.penquerch@collabora.co.uk>
Date: Thu, 29 Sep 2016 14:31:37 +0100
Subject: fdkaacdec: avoid memory corruption on decoding error

The buffer size is expected to be in multiples of the sample size,
not in bytes.

https://bugzilla.gnome.org/show_bug.cgi?id=772186
---
 ext/fdkaac/gstfdkaacdec.c | 8 ++++----
 ext/fdkaac/gstfdkaacdec.h | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/ext/fdkaac/gstfdkaacdec.c b/ext/fdkaac/gstfdkaacdec.c
index ea0147568..c903d27af 100644
--- a/ext/fdkaac/gstfdkaacdec.c
+++ b/ext/fdkaac/gstfdkaacdec.c
@@ -167,8 +167,8 @@ gst_fdkaacdec_set_format (GstAudioDecoder * dec, GstCaps * caps)
 
   /* 8 channels * 2 bytes per sample * 2048 samples */
   if (!self->decode_buffer) {
-    self->decode_buffer_size = 8 * 2 * 2048;
-    self->decode_buffer = g_malloc (self->decode_buffer_size);
+    self->decode_buffer_size = 8 * 2048;
+    self->decode_buffer = g_new (gint16, self->decode_buffer_size);
   }
 
   return TRUE;
@@ -210,7 +210,7 @@ gst_fdkaacdec_handle_frame (GstAudioDecoder * dec, GstBuffer * inbuf)
   }
 
   if ((err =
-          aacDecoder_DecodeFrame (self->dec, (gint16 *) self->decode_buffer,
+          aacDecoder_DecodeFrame (self->dec, self->decode_buffer,
               self->decode_buffer_size, flags)) != AAC_DEC_OK) {
     if (err == AAC_DEC_TRANSPORT_SYNC_ERROR) {
       ret = GST_FLOW_OK;
@@ -406,7 +406,7 @@ gst_fdkaacdec_flush (GstAudioDecoder * dec, gboolean hard)
   if (self->dec) {
     AAC_DECODER_ERROR err;
     if ((err =
-            aacDecoder_DecodeFrame (self->dec, (gint16 *) self->decode_buffer,
+            aacDecoder_DecodeFrame (self->dec, self->decode_buffer,
                 self->decode_buffer_size, AACDEC_FLUSH)) != AAC_DEC_OK) {
       GST_ERROR_OBJECT (self, "flushing error: %d", err);
     }
diff --git a/ext/fdkaac/gstfdkaacdec.h b/ext/fdkaac/gstfdkaacdec.h
index a805a2ad6..5f766bc1c 100644
--- a/ext/fdkaac/gstfdkaacdec.h
+++ b/ext/fdkaac/gstfdkaacdec.h
@@ -45,7 +45,7 @@ struct _GstFdkAacDec {
   GstAudioDecoder element;
 
   HANDLE_AACDECODER dec;
-  guint8 *decode_buffer;
+  gint16 *decode_buffer;
   gint decode_buffer_size;
 };
 
-- 
cgit v1.2.1