# HG changeset patch
# User kostya
# Date 1189663198 0
# Node ID ca944f1db2b349fef0b987f5b87da639fd291682
# Parent  9810f0bbacb2c161547d95418b98580d465a67e4
Add checks on input/output buffers size for some audio decoders

diff -r 9810f0bbacb2 -r ca944f1db2b3 smacker.c
--- a/smacker.c	Thu Sep 13 03:22:47 2007 +0000
+++ b/smacker.c	Thu Sep 13 05:59:58 2007 +0000
@@ -590,6 +590,10 @@
     }
     stereo = get_bits1(&gb);
     bits = get_bits1(&gb);
+    if ((unp_size << !bits) > *data_size) {
+        av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n");
+        return -1;
+    }
 
     memset(vlc, 0, sizeof(VLC) * 4);
     memset(h, 0, sizeof(HuffContext) * 4);
diff -r 9810f0bbacb2 -r ca944f1db2b3 truespeech.c
--- a/truespeech.c	Thu Sep 13 03:22:47 2007 +0000
+++ b/truespeech.c	Thu Sep 13 05:59:58 2007 +0000
@@ -333,15 +333,17 @@
 {
     TSContext *c = avctx->priv_data;
 
-    int i;
+    int i, j;
     short *samples = data;
     int consumed = 0;
     int16_t out_buf[240];
+    int iterations;
 
     if (!buf_size)
         return 0;
 
-    while (consumed < buf_size) {
+    iterations = FFMIN(buf_size / 32, *data_size / 480);
+    for(j = 0; j < iterations; j++) {
         truespeech_read_frame(c, buf + consumed);
         consumed += 32;
 
@@ -366,7 +368,7 @@
 
     *data_size = consumed * 15;
 
-    return buf_size;
+    return consumed;
 }
 
 AVCodec truespeech_decoder = {
diff -r 9810f0bbacb2 -r ca944f1db2b3 ws-snd1.c
--- a/ws-snd1.c	Thu Sep 13 03:22:47 2007 +0000
+++ b/ws-snd1.c	Thu Sep 13 05:59:58 2007 +0000
@@ -62,6 +62,14 @@
     in_size = AV_RL16(&buf[2]);
     buf += 4;
 
+    if (out_size > *data_size) {
+        av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n");
+        return -1;
+    }
+    if (in_size > buf_size) {
+        av_log(avctx, AV_LOG_ERROR, "Frame data is larger than input buffer\n");
+        return -1;
+    }
     if (in_size == out_size) {
         for (i = 0; i < out_size; i++)
             *samples++ = (*buf++ - 0x80) << 8;