check the validity of the amount of the remaining bytes in the bitsteam before memcpy
authorMichael Niedermayer <michaelni@gmx.at>
Sun, 27 Aug 2006 07:19:11 +0000 (07:19 +0000)
committerMichael Niedermayer <michaelni@gmx.at>
Sun, 27 Aug 2006 07:19:11 +0000 (07:19 +0000)
Originally committed as revision 6105 to svn://svn.ffmpeg.org/ffmpeg/trunk

libavcodec/mpegaudiodec.c

index c76e05b..2d669a8 100644 (file)
@@ -2522,7 +2522,10 @@ static int mp_decode_frame(MPADecodeContext *s,
         align_get_bits(&s->gb);
         assert((get_bits_count(&s->gb) & 7) == 0);
         s->last_buf_size= (s->gb.size_in_bits - get_bits_count(&s->gb))>>3;
-        memcpy(s->last_buf, s->gb.buffer + (get_bits_count(&s->gb)>>3), s->last_buf_size);
+        if(s->last_buf_size <0 || s->last_buf_size > BACKSTEP_SIZE || nb_frames<0)
+            s->last_buf_size= FFMIN(BACKSTEP_SIZE, buf_size - HEADER_SIZE);
+        assert(s->last_buf_size <= buf_size - HEADER_SIZE);
+        memcpy(s->last_buf, s->gb.buffer + buf_size - HEADER_SIZE - s->last_buf_size, s->last_buf_size);
 
         break;
     }