[vlc-devel] [PATCH v2 2/2] mmal/codec: Check picture buffer size before usage

[Julian Scheel]

We need to make sure that a buffer is big enough to store the amount of data
we expect to receive from the decoder. Without doing this memory could be
corrupted due to the decoder writing outside the allocate memory.

Signed-off-by: Julian Scheel <julian at jusst.de>
---
 modules/hw/mmal/codec.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/modules/hw/mmal/codec.c b/modules/hw/mmal/codec.c
index d2424ea..2e7a0d0 100644
--- a/modules/hw/mmal/codec.c
+++ b/modules/hw/mmal/codec.c
@@ -373,6 +373,7 @@ static int send_output_buffer(decoder_t *dec)
     MMAL_BUFFER_HEADER_T *buffer;
     picture_t *picture;
     MMAL_STATUS_T status;
+    int buffer_size = 0;
     int ret = 0;
 
     buffer = mmal_queue_get(sys->output_pool->queue);
@@ -390,6 +391,16 @@ static int send_output_buffer(decoder_t *dec)
         goto out;
     }
 
+    for (int i = 0; i < picture->i_planes; i++)
+        buffer_size += picture->p[i].i_lines * picture->p[i].i_pitch;
+
+    if (buffer_size < sys->output->buffer_size) {
+        msg_Err(dec, "Retrieved picture with too small data block (%d < %d)",
+                buffer_size, sys->output->buffer_size);
+        ret = VLC_EGENERIC;
+        goto out;
+    }
+
     mmal_buffer_header_reset(buffer);
     buffer->user_data = picture;
     buffer->cmd = 0;
-- 
2.1.0