# HG changeset patch
# User kostya
# Date 1190452903 0
# Node ID a3fec73667afcf36111a3a472b35fe5a25c8a539
# Parent  914ff70e136743be4ec68a8be79378ba294af68a
Guard against output buffer overflows

diff -r 914ff70e1367 -r a3fec73667af dpcm.c
--- a/dpcm.c	Sat Sep 22 09:09:47 2007 +0000
+++ b/dpcm.c	Sat Sep 22 09:21:43 2007 +0000
@@ -173,6 +173,10 @@
     if (!buf_size)
         return 0;
 
+    // almost every DPCM variant expands one byte of data into two
+    if(*data_size/2 < buf_size)
+        return -1;
+
     switch(avctx->codec->id) {
 
     case CODEC_ID_ROQ_DPCM:
@@ -256,6 +260,8 @@
     case CODEC_ID_SOL_DPCM:
         in = 0;
         if (avctx->codec_tag != 3) {
+            if(*data_size/4 < buf_size)
+                return -1;
             while (in < buf_size) {
                 int n1, n2;
                 n1 = (buf[in] >> 4) & 0xF;