imc: check output buffer size before decoding

diff --git a/libavcodec/imc.c b/libavcodec/imc.c
index 1a3eeaa..db388e3 100644 (file)
--- a/libavcodec/imc.c
+++ b/libavcodec/imc.c
@@ -651,7 +651,7 @@ static int imc_decode_frame(AVCodecContext * avctx,
     IMCContext *q = avctx->priv_data;
 
     int stream_format_code;
-    int imc_hdr, i, j;
+    int imc_hdr, i, j, out_size;
     int flag;
     int bits, summer;
     int counter, bitscount;
@@ -662,6 +662,12 @@ static int imc_decode_frame(AVCodecContext * avctx,
         return -1;
     }
 
+    out_size = COEFFS * av_get_bytes_per_sample(avctx->sample_fmt);
+    if (*data_size < out_size) {
+        av_log(avctx, AV_LOG_ERROR, "Output buffer is too small\n");
+        return AVERROR(EINVAL);
+    }
+
     q->dsp.bswap16_buf(buf16, (const uint16_t*)buf, IMC_BLOCK_SIZE / 2);
 
     q->out_samples = data;
@@ -808,7 +814,7 @@ static int imc_decode_frame(AVCodecContext * avctx,
 
     imc_imdct256(q);
 
-    *data_size = COEFFS * sizeof(float);
+    *data_size = out_size;
 
     return IMC_BLOCK_SIZE;
 }