Fix crash in MLP decoder due to integer overflow.

Probably only DoS, init_get_bits sets buffer to NULL, thus causing a
NULL-dereference directly after.

backport r21426 by reimar


Originally committed as revision 21759 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5

libavcodec/mlpdec.c

@@ -878,7 +878,7 @@ static int read_access_unit(AVCodecContext *avctx, void* data, int *data_size,
 
     length = (AV_RB16(buf) & 0xfff) * 2;
 
-    if (length > buf_size)
+    if (length < 4 || length > buf_size)
         return -1;
 
     init_get_bits(&gb, (buf + 4), (length - 4) * 8);