From a2085a7e9d83d99aca58bfb385f6db1afa5673dd Mon Sep 17 00:00:00 2001
From: Kostya Shishkov <kostya.shishkov@gmail.com>
Date: Sat, 22 Sep 2007 09:21:43 +0000
Subject: [PATCH] Guard against output buffer overflows

Originally committed as revision 10548 to svn://svn.ffmpeg.org/ffmpeg/trunk
---
 libavcodec/dpcm.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c
index 0ce05c821a..c4a127d7c7 100644
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -173,6 +173,10 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
     if (!buf_size)
         return 0;
 
+    // almost every DPCM variant expands one byte of data into two
+    if(*data_size/2 < buf_size)
+        return -1;
+
     switch(avctx->codec->id) {
 
     case CODEC_ID_ROQ_DPCM:
@@ -256,6 +260,8 @@ static int dpcm_decode_frame(AVCodecContext *avctx,
     case CODEC_ID_SOL_DPCM:
         in = 0;
         if (avctx->codec_tag != 3) {
+            if(*data_size/4 < buf_size)
+                return -1;
             while (in < buf_size) {
                 int n1, n2;
                 n1 = (buf[in] >> 4) & 0xF;