Fix crash in MLP decoder due to integer overflow.

Probably only DoS, init_get_bits sets buffer to NULL, thus causing a NULL-dereference directly after. git-svn-id: file:///var/local/repositories/ffmpeg/trunk@21426 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b

Fix crash in MLP decoder due to integer overflow.
Probably only DoS, init_get_bits sets buffer to NULL, thus causing a NULL-dereference directly after. git-svn-id: file:///var/local/repositories/ffmpeg/trunk@21426 9553f0bf-9b14-0410-a0b8-cfaf0461ba5b
5703697f · reimar · 65536802 · 5703697f
Commit 5703697f authored Jan 24, 2010 by reimar
Show whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

libavcodec/mlpdec.c libavcodec/mlpdec.c +1 -1

No files found.
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -959,7 +959,7 @@ static int read_access_unit(AVCodecContext *avctx, void* data, int *data_size,
    length = (AV_RB16(buf) & 0xfff) * 2;
-    if (length > buf_size)
+    if (length < 4 || length > buf_size)
        return -1;
    init_get_bits(&gb, (buf + 4), (length - 4) * 8);