Fix crash in MLP decoder due to integer overflow.

Probably only DoS, init_get_bits sets buffer to NULL, thus causing a NULL-dereference directly after. Originally committed as revision 21426 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Reimar Döffinger <Reimar.Doeffinger@gmx.de> 2010-01-24 18:07:29 +0000
committer: Reimar Döffinger <Reimar.Doeffinger@gmx.de> 2010-01-24 18:07:29 +0000
commit: 0b882b4009c9fbe24020c2fe83b21ee43d0784ea (patch)
tree: 54216a1ebbd06b892147d92a33761d2367c6d50d /libavcodec/mlpdec.c
parent: 8ba436171f6afb4b5c4882104c8a9d26f18727e7 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index 8060ebe197..bfde83c09f 100644
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -959,7 +959,7 @@ static int read_access_unit(AVCodecContext *avctx, void* data, int *data_size,
 
     length = (AV_RB16(buf) & 0xfff) * 2;
 
-    if (length > buf_size)
+    if (length < 4 || length > buf_size)
         return -1;
 
     init_get_bits(&gb, (buf + 4), (length - 4) * 8);
author	Reimar Döffinger <Reimar.Doeffinger@gmx.de>	2010-01-24 18:07:29 +0000
committer	Reimar Döffinger <Reimar.Doeffinger@gmx.de>	2010-01-24 18:07:29 +0000
commit	0b882b4009c9fbe24020c2fe83b21ee43d0784ea (patch)
tree	54216a1ebbd06b892147d92a33761d2367c6d50d /libavcodec/mlpdec.c
parent	8ba436171f6afb4b5c4882104c8a9d26f18727e7 (diff)