# HG changeset patch
# User kostya
# Date 1189749689 0
# Node ID 71dc0d839b28f8ae8aa640669246236ef31c63d4
# Parent  d328f1731a6ca2f21b06c103a20803a6b058395d
Check unp_size for possible overflows too

diff -r d328f1731a6c -r 71dc0d839b28 smacker.c
--- a/smacker.c	Thu Sep 13 09:13:56 2007 +0000
+++ b/smacker.c	Fri Sep 14 06:01:29 2007 +0000
@@ -590,7 +590,7 @@
     }
     stereo = get_bits1(&gb);
     bits = get_bits1(&gb);
-    if ((unp_size << !bits) > *data_size) {
+    if (unp_size & 0xC0000000 || (unp_size << !bits) > *data_size) {
         av_log(avctx, AV_LOG_ERROR, "Frame is too large to fit in buffer\n");
         return -1;
     }