Fix a heap-buffer-overflow

In some case, what left to read from ptr is smaller than EXTRABYTES. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Thierry Foucu <tfoucu@gmail.com> 2012-01-25 15:46:14 -0800
committer: Michael Niedermayer <michaelni@gmx.at> 2012-01-26 03:28:12 +0100
commit: 10e9d1f76b4bec7a3c581ab7ac494f55acc6f24d (patch)
tree: 9cafcc8acfe79260a5ca1d767c81a7e302965a17
parent: 3c5fe5b52758225e58fec917cc29281d6025aa67 (diff)
download: ffmpeg-10e9d1f76b4bec7a3c581ab7ac494f55acc6f24d.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
index 51b197081c..f9764335b3 100644
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -1385,7 +1385,8 @@ static int mp_decode_layer3(MPADecodeContext *s)
         av_dlog(s->avctx, "seekback: %d\n", main_data_begin);
     //av_log(NULL, AV_LOG_ERROR, "backstep:%d, lastbuf:%d\n", main_data_begin, s->last_buf_size);
 
-        memcpy(s->last_buf + s->last_buf_size, ptr, EXTRABYTES);
+        memcpy(s->last_buf + s->last_buf_size, ptr,
+               FFMIN(EXTRABYTES, (s->gb.size_in_bits - get_bits_count(&s->gb))>>3));
         s->in_gb = s->gb;
         init_get_bits(&s->gb, s->last_buf, s->last_buf_size*8);
 #if !UNCHECKED_BITSTREAM_READER
author	Thierry Foucu <tfoucu@gmail.com>	2012-01-25 15:46:14 -0800
committer	Michael Niedermayer <michaelni@gmx.at>	2012-01-26 03:28:12 +0100
commit	10e9d1f76b4bec7a3c581ab7ac494f55acc6f24d (patch)
tree	9cafcc8acfe79260a5ca1d767c81a7e302965a17
parent	3c5fe5b52758225e58fec917cc29281d6025aa67 (diff)
download	ffmpeg-10e9d1f76b4bec7a3c581ab7ac494f55acc6f24d.tar.gz