From 5c9eb4fabbefd4ebb02620a0a3a6e10032ec069d Mon Sep 17 00:00:00 2001
From: Justin Ruggles <justin.ruggles@gmail.com>
Date: Sat, 10 Sep 2011 13:54:02 -0400
Subject: [PATCH] adpcm: check buffer size in IMA DK4 decoder before reading
 header.

Also use the post-header data size to control termination of the main
decoding loop.
---
 libavcodec/adpcm.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index be10f88de8..80dc7ca1d8 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -528,6 +528,12 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
         if (avctx->block_align != 0 && buf_size > avctx->block_align)
             buf_size = avctx->block_align;
 
+        n = buf_size - 4 * avctx->channels;
+        if (n < 0) {
+            av_log(avctx, AV_LOG_ERROR, "packet is too small\n");
+            return AVERROR(EINVAL);
+        }
+
         for (channel = 0; channel < avctx->channels; channel++) {
             cs = &c->status[channel];
             cs->predictor  = (int16_t)bytestream_get_le16(&src);
@@ -535,7 +541,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
             src++;
             *samples++ = cs->predictor;
         }
-        while (src < buf + buf_size) {
+        while (n-- > 0) {
             uint8_t v = *src++;
             *samples++ = adpcm_ima_expand_nibble(&c->status[0 ], v >> 4  , 3);
             *samples++ = adpcm_ima_expand_nibble(&c->status[st], v & 0x0F, 3);