fdkaacdec: avoid memory corruption on decoding error

The buffer size is expected to be in multiples of the sample size,
not in bytes.

https://bugzilla.gnome.org/show_bug.cgi?id=772186

diff --git a/ext/fdkaac/gstfdkaacdec.c b/ext/fdkaac/gstfdkaacdec.c
index ea01475..c903d27 100644 (file)
--- a/ext/fdkaac/gstfdkaacdec.c
+++ b/ext/fdkaac/gstfdkaacdec.c
@@ -167,8 +167,8 @@ gst_fdkaacdec_set_format (GstAudioDecoder * dec, GstCaps * caps)
 
   /* 8 channels * 2 bytes per sample * 2048 samples */
   if (!self->decode_buffer) {
-    self->decode_buffer_size = 8 * 2 * 2048;
-    self->decode_buffer = g_malloc (self->decode_buffer_size);
+    self->decode_buffer_size = 8 * 2048;
+    self->decode_buffer = g_new (gint16, self->decode_buffer_size);
   }
 
   return TRUE;
@@ -210,7 +210,7 @@ gst_fdkaacdec_handle_frame (GstAudioDecoder * dec, GstBuffer * inbuf)
   }
 
   if ((err =
-          aacDecoder_DecodeFrame (self->dec, (gint16 *) self->decode_buffer,
+          aacDecoder_DecodeFrame (self->dec, self->decode_buffer,
               self->decode_buffer_size, flags)) != AAC_DEC_OK) {
     if (err == AAC_DEC_TRANSPORT_SYNC_ERROR) {
       ret = GST_FLOW_OK;
@@ -406,7 +406,7 @@ gst_fdkaacdec_flush (GstAudioDecoder * dec, gboolean hard)
   if (self->dec) {
     AAC_DECODER_ERROR err;
     if ((err =
-            aacDecoder_DecodeFrame (self->dec, (gint16 *) self->decode_buffer,
+            aacDecoder_DecodeFrame (self->dec, self->decode_buffer,
                 self->decode_buffer_size, AACDEC_FLUSH)) != AAC_DEC_OK) {
       GST_ERROR_OBJECT (self, "flushing error: %d", err);
     }

diff --git a/ext/fdkaac/gstfdkaacdec.h b/ext/fdkaac/gstfdkaacdec.h
index a805a2a..5f766bc 100644 (file)
--- a/ext/fdkaac/gstfdkaacdec.h
+++ b/ext/fdkaac/gstfdkaacdec.h
@@ -45,7 +45,7 @@ struct _GstFdkAacDec {
   GstAudioDecoder element;
 
   HANDLE_AACDECODER dec;
-  guint8 *decode_buffer;
+  gint16 *decode_buffer;
   gint decode_buffer_size;
 };