From 701d0eb185192542c4a17f296e39e37cedf7abc6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= <Reimar.Doeffinger@gmx.de>
Date: Fri, 8 Apr 2011 01:19:21 +0200
Subject: [PATCH] Fix input buffer size check in adpcm_ea decoder.

Unfortunately the output buffer size check assumes that the
input buffer is never over-consumed, thus this actually
also allowed to write outside the output buffer if "lucky".
---
 libavcodec/adpcm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index 826c588676..6252dbcb6a 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1291,7 +1291,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
         }
         break;
     case CODEC_ID_ADPCM_EA:
-        if (buf_size < 4 || AV_RL32(src) >= ((buf_size - 12) * 2)) {
+        if (buf_size < 12 || AV_RL32(src) > (buf_size - 12)/30*28) {
             src += buf_size;
             break;
         }