Fix crash in MLP decoder due to integer overflow.

Probably only DoS, init_get_bits sets buffer to NULL, thus causing a
NULL-dereference directly after.

Originally committed as revision 21426 to svn://svn.ffmpeg.org/ffmpeg/trunk

diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index 8060ebe..bfde83c 100644 (file)
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -959,7 +959,7 @@ static int read_access_unit(AVCodecContext *avctx, void* data, int *data_size,
 
     length = (AV_RB16(buf) & 0xfff) * 2;
 
-    if (length > buf_size)
+    if (length < 4 || length > buf_size)
         return -1;
 
     init_get_bits(&gb, (buf + 4), (length - 4) * 8);