# HG changeset patch
# User reimar
# Date 1131655271 0
# Node ID d8755974657a8d6e32967d43a21bd701e90a02e1
# Parent  ecf96c2552948c6015e30ec329ad413e57e5641f
attempt to fix missing and/or broken boundary checks

diff -r ecf96c255294 -r d8755974657a libmpcodecs/ad_dk3adpcm.c
--- a/libmpcodecs/ad_dk3adpcm.c	Thu Nov 10 20:38:05 2005 +0000
+++ b/libmpcodecs/ad_dk3adpcm.c	Thu Nov 10 20:41:11 2005 +0000
@@ -145,7 +145,7 @@
   sum_index = input[14];
   diff_index = input[15];
 
-  while (in_ptr < block_size)
+  while (in_ptr < block_size - !decode_top_nibble_next)
 //  while (in_ptr < 2048)
   {
     // process the first predictor of the sum channel
@@ -237,7 +237,11 @@
     sh_audio->ds->ss_mul) 
       return -1; /* EOF */
 
+  if (maxlen < 2 * 4 * sh_audio->wf->nBlockAlign * 2 / 3) {
+    mp_msg(MSGT_DECAUDIO, MSGL_V, "dk3adpcm: maxlen too small in decode_audio\n");
+    return -1;
+  }
   return 2 * dk3_adpcm_decode_block(
     (unsigned short*)buf, sh_audio->a_in_buffer,
-    sh_audio->wf->nBlockAlign);
+    sh_audio->ds->ss_mul);
 }