X-Git-Url: http://git.tuebingen.mpg.de/?p=paraslash.git;a=blobdiff_plain;f=spxdec_filter.c;h=644d287aaf6a4daba32dd023c9770691aa3f4d24;hp=8b29007c67e5a7299c52cf8aada7875bef964a48;hb=224ab3f14af8e08a8a7159160eccea75be30ffd1;hpb=879e52d49df6d00aa9eafe5cccb48bbd24ed4c81

diff --git a/spxdec_filter.c b/spxdec_filter.c
index 8b29007c..644d287a 100644
--- a/spxdec_filter.c
+++ b/spxdec_filter.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2002-2006 Jean-Marc Valin
- * Copyright (C) 2010-2014 Andre Noll <maan@systemlinux.org>
+ * Copyright (C) 2010 Andre Noll <maan@tuebingen.mpg.de>
  *
  * Licensed under the GPL v2. For licencing details see COPYING.
  */
@@ -75,7 +75,7 @@ struct private_spxdec_data {
 	int lookahead;
 	/** The state information about the current stream. */
 	ogg_stream_state os;
-	/** Whether \a os initialized. */
+	/** Whether \a os is initialized. */
 	bool stream_init;
 };
 
@@ -128,7 +128,14 @@ static int speexdec_init(struct filter_node *fn)
 #define le_short(s) ((short) (s))
 #endif
 
+/**
+ * Size of the output buffer.
+ *
+ * Valid streams have frame sizes in the range from 160 to 640. To avoid buffer
+ * overflows, we bail out if the decoder reports a value bigger than this.
+ */
 #define MAX_FRAME_SIZE 2000
+
 /* Copy Ogg packet to Speex bitstream */
 static int speexdec_write_frames(int packet_no,
 		struct private_spxdec_data *psd, int skip_samples,
@@ -139,7 +146,14 @@ static int speexdec_write_frames(int packet_no,
 	for (j = 0; j != psd->shi.nframes; j++) {
 		short output[MAX_FRAME_SIZE], *btr_output;
 		int skip = skip_samples + psd->lookahead, skip_idx = 0;
-		int samples, new_frame_size = psd->shi.frame_size;
+		int samples, this_frame_size,
+			new_frame_size = psd->shi.frame_size;
+
+		if (speex_decoder_ctl(psd->shi.state, SPEEX_GET_FRAME_SIZE,
+				&this_frame_size) == 0) {
+			if (this_frame_size > MAX_FRAME_SIZE)
+				return -E_SPX_DECODE_OVERFLOW;
+		};
 
 		if (speex_decode_int(psd->shi.state, &psd->bits, output) < 0)
 			return -E_SPX_DECODE;