[FFmpeg-devel] [PATCH 1/2] wmavoice: truncate spillover_nbits if too large

Mon Jan 2 00:18:49 EET 2017

This fixes triggering the av_assert0(ret <= tmp.size).

The problem was reintroduced by commit
7b27dd5c16de785297ce4de4b88afa0b6685f61d and originally fixed by
2a4700a4f03280fa8ba4fc0f8a9987bb550f0d1e.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
 libavcodec/wmavoice.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index cd5958c7bc..1bfad46b2e 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -1923,6 +1923,11 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
          * continuing to parse new superframes in the current packet. */
         if (s->sframe_cache_size > 0) {
             int cnt = get_bits_count(gb);
+            if (cnt + s->spillover_nbits > avpkt->size * 8) {
+                av_log(ctx, AV_LOG_WARNING, "Number of spillover bits %d larger than remaining packet size %d, truncating.\n",
+                       s->spillover_nbits, avpkt->size * 8 - cnt);
+                s->spillover_nbits = avpkt->size * 8 - cnt;
+            }
             copy_bits(&s->pb, avpkt->data, size, gb, s->spillover_nbits);
             flush_put_bits(&s->pb);
             s->sframe_cache_size += s->spillover_nbits;
-- 
2.11.0
