@ -454,7 +454,7 @@ static inline int decode_subframe(FLACContext *s, int channel)
return 0 ;
return 0 ;
}
}
static int decode_frame ( FLACContext * s )
static int decode_frame ( FLACContext * s , int alloc_data_size )
{
{
int blocksize_code , sample_rate_code , sample_size_code , assignment , i , crc8 ;
int blocksize_code , sample_rate_code , sample_size_code , assignment , i , crc8 ;
int decorrelation , bps , blocksize , samplerate ;
int decorrelation , bps , blocksize , samplerate ;
@ -516,6 +516,9 @@ static int decode_frame(FLACContext *s)
return - 1 ;
return - 1 ;
}
}
if ( blocksize * s - > channels * sizeof ( int16_t ) > alloc_data_size )
return - 1 ;
if ( sample_rate_code = = 0 ) {
if ( sample_rate_code = = 0 ) {
samplerate = s - > samplerate ;
samplerate = s - > samplerate ;
} else if ( ( sample_rate_code > 3 ) & & ( sample_rate_code < 12 ) )
} else if ( ( sample_rate_code > 3 ) & & ( sample_rate_code < 12 ) )
@ -579,6 +582,9 @@ static int flac_decode_frame(AVCodecContext *avctx,
FLACContext * s = avctx - > priv_data ;
FLACContext * s = avctx - > priv_data ;
int tmp = 0 , i , j = 0 , input_buf_size = 0 ;
int tmp = 0 , i , j = 0 , input_buf_size = 0 ;
int16_t * samples = data ;
int16_t * samples = data ;
int alloc_data_size = * data_size ;
* data_size = 0 ;
if ( s - > max_framesize = = 0 ) {
if ( s - > max_framesize = = 0 ) {
s - > max_framesize = 65536 ; // should hopefully be enough for the first header
s - > max_framesize = 65536 ; // should hopefully be enough for the first header
@ -617,7 +623,7 @@ static int flac_decode_frame(AVCodecContext *avctx,
goto end ; // we may not have enough bits left to decode a frame, so try next time
goto end ; // we may not have enough bits left to decode a frame, so try next time
}
}
skip_bits ( & s - > gb , 16 ) ;
skip_bits ( & s - > gb , 16 ) ;
if ( decode_frame ( s ) < 0 ) {
if ( decode_frame ( s , alloc_data_size ) < 0 ) {
av_log ( s - > avctx , AV_LOG_ERROR , " decode_frame() failed \n " ) ;
av_log ( s - > avctx , AV_LOG_ERROR , " decode_frame() failed \n " ) ;
s - > bitstream_size = 0 ;
s - > bitstream_size = 0 ;
s - > bitstream_index = 0 ;
s - > bitstream_index = 0 ;