# HG changeset patch
# User reimar
# Date 1264356449 0
# Node ID 9aae10c862f7dc427bd417a2bc49df01a7dae2b2
# Parent  cf7a9b5c4064e0a10a431e66e27fd0a3f4193188
Fix crash in MLP decoder due to integer overflow.
Probably only DoS, init_get_bits sets buffer to NULL, thus causing a
NULL-dereference directly after.

diff -r cf7a9b5c4064 -r 9aae10c862f7 mlpdec.c
--- a/mlpdec.c	Sun Jan 24 18:05:02 2010 +0000
+++ b/mlpdec.c	Sun Jan 24 18:07:29 2010 +0000
@@ -959,7 +959,7 @@
 
     length = (AV_RB16(buf) & 0xfff) * 2;
 
-    if (length > buf_size)
+    if (length < 4 || length > buf_size)
         return -1;
 
     init_get_bits(&gb, (buf + 4), (length - 4) * 8);