X-Git-Url: http://git.tuebingen.mpg.de/?p=paraslash.git;a=blobdiff_plain;f=spxdec_filter.c;h=644d287aaf6a4daba32dd023c9770691aa3f4d24;hp=b7b6329543773f0d0c12c96e21b952700790211f;hb=fc8dfbb416ff07cca08fbf4e13efcaa25e17cc54;hpb=6e0b28e02a1013c019a3225e922b71f913bfbae4

diff --git a/spxdec_filter.c b/spxdec_filter.c
index b7b63295..644d287a 100644
--- a/spxdec_filter.c
+++ b/spxdec_filter.c
@@ -128,7 +128,14 @@ static int speexdec_init(struct filter_node *fn)
 #define le_short(s) ((short) (s))
 #endif
 
+/**
+ * Size of the output buffer.
+ *
+ * Valid streams have frame sizes in the range from 160 to 640. To avoid buffer
+ * overflows, we bail out if the decoder reports a value bigger than this.
+ */
 #define MAX_FRAME_SIZE 2000
+
 /* Copy Ogg packet to Speex bitstream */
 static int speexdec_write_frames(int packet_no,
 		struct private_spxdec_data *psd, int skip_samples,
@@ -139,7 +146,14 @@ static int speexdec_write_frames(int packet_no,
 	for (j = 0; j != psd->shi.nframes; j++) {
 		short output[MAX_FRAME_SIZE], *btr_output;
 		int skip = skip_samples + psd->lookahead, skip_idx = 0;
-		int samples, new_frame_size = psd->shi.frame_size;
+		int samples, this_frame_size,
+			new_frame_size = psd->shi.frame_size;
+
+		if (speex_decoder_ctl(psd->shi.state, SPEEX_GET_FRAME_SIZE,
+				&this_frame_size) == 0) {
+			if (this_frame_size > MAX_FRAME_SIZE)
+				return -E_SPX_DECODE_OVERFLOW;
+		};
 
 		if (speex_decode_int(psd->shi.state, &psd->bits, output) < 0)
 			return -E_SPX_DECODE;