X-Git-Url: http://git.tuebingen.mpg.de/?p=paraslash.git;a=blobdiff_plain;f=spxdec_filter.c;h=644d287aaf6a4daba32dd023c9770691aa3f4d24;hp=cf1fe604436b69bff0dd81b81000cfe67058de23;hb=5e8d8a8eea6de9459ebdf4498f9f061c84bfa63a;hpb=e9b00a14a4653d767a9d0fe885aa0b6d56c42180

diff --git a/spxdec_filter.c b/spxdec_filter.c
index cf1fe604..644d287a 100644
--- a/spxdec_filter.c
+++ b/spxdec_filter.c
@@ -75,7 +75,7 @@ struct private_spxdec_data {
 	int lookahead;
 	/** The state information about the current stream. */
 	ogg_stream_state os;
-	/** Whether \a os initialized. */
+	/** Whether \a os is initialized. */
 	bool stream_init;
 };
 
@@ -128,7 +128,14 @@ static int speexdec_init(struct filter_node *fn)
 #define le_short(s) ((short) (s))
 #endif
 
+/**
+ * Size of the output buffer.
+ *
+ * Valid streams have frame sizes in the range from 160 to 640. To avoid buffer
+ * overflows, we bail out if the decoder reports a value bigger than this.
+ */
 #define MAX_FRAME_SIZE 2000
+
 /* Copy Ogg packet to Speex bitstream */
 static int speexdec_write_frames(int packet_no,
 		struct private_spxdec_data *psd, int skip_samples,
@@ -139,7 +146,14 @@ static int speexdec_write_frames(int packet_no,
 	for (j = 0; j != psd->shi.nframes; j++) {
 		short output[MAX_FRAME_SIZE], *btr_output;
 		int skip = skip_samples + psd->lookahead, skip_idx = 0;
-		int samples, new_frame_size = psd->shi.frame_size;
+		int samples, this_frame_size,
+			new_frame_size = psd->shi.frame_size;
+
+		if (speex_decoder_ctl(psd->shi.state, SPEEX_GET_FRAME_SIZE,
+				&this_frame_size) == 0) {
+			if (this_frame_size > MAX_FRAME_SIZE)
+				return -E_SPX_DECODE_OVERFLOW;
+		};
 
 		if (speex_decode_int(psd->shi.state, &psd->bits, output) < 0)
 			return -E_SPX_DECODE;