From ab546a7463814e052e9bc6f7cfbe1f2e5a38a9da Mon Sep 17 00:00:00 2001
From: Reinhard Tartler <siretart@tauware.de>
Date: Tue, 9 Feb 2010 19:09:12 +0000
Subject: [PATCH] check data_size in decode_frame()

backported r19986 by michael




Originally committed as revision 21716 to svn://svn.ffmpeg.org/ffmpeg/branches/0.5
---
 libavcodec/mpegaudiodec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
index ce0066bbf7..f4fe71649c 100644
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -2287,6 +2287,9 @@ retry:
     avctx->bit_rate = s->bit_rate;
     avctx->sub_id = s->layer;
 
+    if(*data_size < 1152*avctx->channels*sizeof(OUT_INT))
+        return -1;
+
     if(s->frame_size<=0 || s->frame_size > buf_size){
         av_log(avctx, AV_LOG_ERROR, "incomplete frame\n");
         return -1;