[vlc-commits] mmal/codec: Check picture buffer size before usage

[Julian Scheel]

vlc | branch: master | Julian Scheel <julian at jusst.de> | Thu Sep  4 12:43:02 2014 +0200| [a0ffd5a2e6659965207ae9a70e5f81ec09792567] | committer: Jean-Baptiste Kempf

mmal/codec: Check picture buffer size before usage

We need to make sure that a buffer is big enough to store the amount of data
we expect to receive from the decoder. Without doing this memory could be
corrupted due to the decoder writing outside the allocate memory.

Signed-off-by: Julian Scheel <julian at jusst.de>
Signed-off-by: Jean-Baptiste Kempf <jb at videolan.org>

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=a0ffd5a2e6659965207ae9a70e5f81ec09792567
---

 modules/hw/mmal/codec.c |   11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/modules/hw/mmal/codec.c b/modules/hw/mmal/codec.c
index d2424ea..2e7a0d0 100644
--- a/modules/hw/mmal/codec.c
+++ b/modules/hw/mmal/codec.c
@@ -373,6 +373,7 @@ static int send_output_buffer(decoder_t *dec)
     MMAL_BUFFER_HEADER_T *buffer;
     picture_t *picture;
     MMAL_STATUS_T status;
+    int buffer_size = 0;
     int ret = 0;
 
     buffer = mmal_queue_get(sys->output_pool->queue);
@@ -390,6 +391,16 @@ static int send_output_buffer(decoder_t *dec)
         goto out;
     }
 
+    for (int i = 0; i < picture->i_planes; i++)
+        buffer_size += picture->p[i].i_lines * picture->p[i].i_pitch;
+
+    if (buffer_size < sys->output->buffer_size) {
+        msg_Err(dec, "Retrieved picture with too small data block (%d < %d)",
+                buffer_size, sys->output->buffer_size);
+        ret = VLC_EGENERIC;
+        goto out;
+    }
+
     mmal_buffer_header_reset(buffer);
     buffer->user_data = picture;
     buffer->cmd = 0;