From f5a29040feebefcec4472a67b3396b6bfae84f33 Mon Sep 17 00:00:00 2001
From: Andre <maan@p133.(none)>
Date: Tue, 30 May 2006 00:51:32 +0200
Subject: [PATCH] aacdec: detect buffer overrun and return an errror.

Also, increase the output buffer size and don't try to decode
if the output buffer is already filled at least 60%.
---
 aacdec.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/aacdec.c b/aacdec.c
index fe046b70..e1841d98 100644
--- a/aacdec.c
+++ b/aacdec.c
@@ -31,9 +31,8 @@
 #include "string.h"
 #include "aac.h"
 
-#define MAX_CHANNELS 6
 /** the output buffer size */
-#define AAC_OUTBUF_SIZE (FAAD_MIN_STREAMSIZE * MAX_CHANNELS)
+#define AAC_OUTBUF_SIZE (32 * 1024)
 
 /**
  * data specific to the aacdec filter
@@ -59,9 +58,9 @@ static ssize_t aacdec(char *input_buffer, size_t len, struct filter_node *fn)
 	unsigned char *inbuf = (unsigned char*)input_buffer;
 	size_t skip, consumed = 0;
 
-	if (fn->loaded > fn->bufsize * 4 / 5)
+	if (fn->loaded > fn->bufsize * 3 / 5)
 		return 0;
-	if (len < 1000 && !*fc->input_eof)
+	if (len < 2048 && !*fc->input_eof)
 		return 0;
 
 	if (!padd->initialized) {
@@ -112,7 +111,7 @@ static ssize_t aacdec(char *input_buffer, size_t len, struct filter_node *fn)
 		if (padd->consumed_total < padd->entry)
 			consumed = padd->entry - padd->consumed_total;
 	}
-	for (; consumed < len;consumed++)
+	for (; consumed < len; consumed++)
 		if ((inbuf[consumed] & 0xfe) == 0x20)
 			break;
 	if (consumed >= len)
@@ -121,7 +120,7 @@ static ssize_t aacdec(char *input_buffer, size_t len, struct filter_node *fn)
 	outbuffer = NeAACDecDecode(padd->handle, &padd->frame_info, p,
 		len - consumed);
 	ret = -E_AAC_DECODE;
-	if (padd->frame_info.error != 0) {
+	if (padd->frame_info.error) {
 		PARA_ERROR_LOG("frame_error: %d, consumed: %zu + %zd + %lu\n",
 			padd->frame_info.error, padd->consumed_total,
 			consumed, padd->frame_info.bytesconsumed);
@@ -134,6 +133,9 @@ static ssize_t aacdec(char *input_buffer, size_t len, struct filter_node *fn)
 	ret = consumed;
 	if (!padd->frame_info.samples)
 		goto out;
+	ret = -E_AAC_OVERRUN;
+	if (padd->frame_info.samples * 2 + fn->loaded > fn->bufsize)
+		goto out;
 	for (i = 0; i < padd->frame_info.samples; i++) {
 		short *s = (short *)outbuffer;
 		fn->buf[fn->loaded++] = s[i] & 0xff;
-- 
2.39.2