diff mpegaudiodec.c @ 3641:b325c92e7bed libavcodec

check the validity of the amount of the remaining bytes in the bitsteam before memcpy
author michael
date Sun, 27 Aug 2006 07:19:11 +0000
parents c5dffafebdff
children ae1dfbbb25bb
line wrap: on
line diff
--- a/mpegaudiodec.c	Sat Aug 26 20:16:54 2006 +0000
+++ b/mpegaudiodec.c	Sun Aug 27 07:19:11 2006 +0000
@@ -2522,7 +2522,10 @@
         align_get_bits(&s->gb);
         assert((get_bits_count(&s->gb) & 7) == 0);
         s->last_buf_size= (s->gb.size_in_bits - get_bits_count(&s->gb))>>3;
-        memcpy(s->last_buf, s->gb.buffer + (get_bits_count(&s->gb)>>3), s->last_buf_size);
+        if(s->last_buf_size <0 || s->last_buf_size > BACKSTEP_SIZE || nb_frames<0)
+            s->last_buf_size= FFMIN(BACKSTEP_SIZE, buf_size - HEADER_SIZE);
+        assert(s->last_buf_size <= buf_size - HEADER_SIZE);
+        memcpy(s->last_buf, s->gb.buffer + buf_size - HEADER_SIZE - s->last_buf_size, s->last_buf_size);
 
         break;
     }