Merge branch 'refs/heads/t/format-signedness'

[paraslash.git] / spxdec_filter.c

diff --git a/spxdec_filter.c b/spxdec_filter.c
index b7b6329543773f0d0c12c96e21b952700790211f..644d287aaf6a4daba32dd023c9770691aa3f4d24 100644 (file)
--- a/spxdec_filter.c
+++ b/spxdec_filter.c
@@ -128,7 +128,14 @@ static int speexdec_init(struct filter_node *fn)
 #define le_short(s) ((short) (s))
 #endif
 
+/**
+ * Size of the output buffer.
+ *
+ * Valid streams have frame sizes in the range from 160 to 640. To avoid buffer
+ * overflows, we bail out if the decoder reports a value bigger than this.
+ */
 #define MAX_FRAME_SIZE 2000
+
 /* Copy Ogg packet to Speex bitstream */
 static int speexdec_write_frames(int packet_no,
                struct private_spxdec_data *psd, int skip_samples,
@@ -139,7 +146,14 @@ static int speexdec_write_frames(int packet_no,
        for (j = 0; j != psd->shi.nframes; j++) {
                short output[MAX_FRAME_SIZE], *btr_output;
                int skip = skip_samples + psd->lookahead, skip_idx = 0;
-               int samples, new_frame_size = psd->shi.frame_size;
+               int samples, this_frame_size,
+                       new_frame_size = psd->shi.frame_size;
+
+               if (speex_decoder_ctl(psd->shi.state, SPEEX_GET_FRAME_SIZE,
+                               &this_frame_size) == 0) {
+                       if (this_frame_size > MAX_FRAME_SIZE)
+                               return -E_SPX_DECODE_OVERFLOW;
+               };
 
                if (speex_decode_int(psd->shi.state, &psd->bits, output) < 0)
                        return -E_SPX_DECODE;