[vlc-commits] twolame: avoid buffer overflow

[Tristan Matthews]

vlc | branch: master | Tristan Matthews <tmatth at videolan.org> | Sat Sep 27 15:07:51 2014 -0400| [9ab9aa37080ed6e8d34717bdf416509c7e38bbf9] | committer: Tristan Matthews

twolame: avoid buffer overflow

Refs #12298

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=9ab9aa37080ed6e8d34717bdf416509c7e38bbf9
---

 modules/codec/twolame.c |   22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/modules/codec/twolame.c b/modules/codec/twolame.c
index 3257b76..b44647e 100644
--- a/modules/codec/twolame.c
+++ b/modules/codec/twolame.c
@@ -251,12 +251,24 @@ static int OpenEncoder( vlc_object_t *p_this )
  ****************************************************************************/
 static void Bufferize( encoder_t *p_enc, int16_t *p_in, int i_nb_samples )
 {
-    int16_t *p_buffer = p_enc->p_sys->p_buffer
-                         + (p_enc->p_sys->i_nb_samples
-                             * p_enc->fmt_in.audio.i_channels);
+    encoder_sys_t *p_sys = p_enc->p_sys;
+    const unsigned i_offset = p_sys->i_nb_samples * p_enc->fmt_in.audio.i_channels;
+    const unsigned i_len = ARRAY_SIZE(p_sys->p_buffer);
+
+    if( i_offset >= i_len )
+    {
+        msg_Err( p_enc, "buffer full" );
+        return;
+    }
+
+    unsigned i_copy = i_nb_samples * p_enc->fmt_in.audio.i_channels;
+    if( i_copy + i_offset > i_len)
+    {
+        msg_Err( p_enc, "dropping samples" );
+        i_copy = i_len - i_offset;
+    }
 
-    memcpy( p_buffer, p_in, i_nb_samples * p_enc->fmt_in.audio.i_channels
-                             * sizeof(int16_t) );
+    memcpy( p_sys->p_buffer + i_offset, p_in, i_copy * sizeof(int16_t) );
 }
 
 static block_t *Encode( encoder_t *p_enc, block_t *p_aout_buf )