wmavoice: truncate spillover_nbits if too large

This fixes triggering the av_assert0(ret <= tmp.size). The problem was reintroduced by commit 7b27dd5c16de785297ce4de4b88afa0b6685f61d and originally fixed by 2a4700a4f03280fa8ba4fc0f8a9987bb550f0d1e. Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
author: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2017-01-01 22:42:44 +0100
committer: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> 2017-01-03 00:51:58 +0100
commit: 91e6a64d2ea62edbe1178a65a2376e605f6988d5 (patch)
tree: 08423e725385495cc09fdd425387b0c2789764da
parent: aa952920431b4cf0053c24ca60be8ffd31382b12 (diff)
download: ffmpeg-91e6a64d2ea62edbe1178a65a2376e605f6988d5.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index cd5958c7bc..c310b19a70 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -1923,6 +1923,9 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
          * continuing to parse new superframes in the current packet. */
         if (s->sframe_cache_size > 0) {
             int cnt = get_bits_count(gb);
+            if (cnt + s->spillover_nbits > avpkt->size * 8) {
+                s->spillover_nbits = avpkt->size * 8 - cnt;
+            }
             copy_bits(&s->pb, avpkt->data, size, gb, s->spillover_nbits);
             flush_put_bits(&s->pb);
             s->sframe_cache_size += s->spillover_nbits;
author	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2017-01-01 22:42:44 +0100
committer	Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>	2017-01-03 00:51:58 +0100
commit	91e6a64d2ea62edbe1178a65a2376e605f6988d5 (patch)
tree	08423e725385495cc09fdd425387b0c2789764da
parent	aa952920431b4cf0053c24ca60be8ffd31382b12 (diff)
download	ffmpeg-91e6a64d2ea62edbe1178a65a2376e605f6988d5.tar.gz