# HG changeset patch
# User uau
# Date 1155577067 0
# Node ID 925e7643a526deeb7aacae660f1aed6647095f78
# Parent  5d6f4f9b6727c61addc10cf434ef3a13f1f7e64e
Fix buffer size sanity check to match what is actually required.

diff -r 5d6f4f9b6727 -r 925e7643a526 libmpcodecs/dec_audio.c
--- a/libmpcodecs/dec_audio.c	Mon Aug 14 17:27:15 2006 +0000
+++ b/libmpcodecs/dec_audio.c	Mon Aug 14 17:37:47 2006 +0000
@@ -374,7 +374,12 @@
       mp_msg(MSGT_DECAUDIO,MSGL_DBG2,"decaudio: decoding %d bytes, max: %d (%d)\n",
         len, maxlen, sh_audio->audio_out_minsize);
 
-      if(maxlen<sh_audio->audio_out_minsize) break; // don't overflow buffer!
+      // When a decoder sets audio_out_minsize that should guarantee it can
+      // write up to audio_out_minsize bytes at a time until total >= minlen
+      // without checking maxlen. Thus maxlen must be at least minlen +
+      // audio_out_minsize. Check that to guard against buffer overflows.
+      if (maxlen < len + sh_audio->audio_out_minsize)
+	  break;
       // not enough decoded data waiting, decode 'len' bytes more:
       len=mpadec->decode_audio(sh_audio,
           sh_audio->a_buffer+sh_audio->a_buffer_len, len, maxlen);