From 10e9d1f76b4bec7a3c581ab7ac494f55acc6f24d Mon Sep 17 00:00:00 2001
From: Thierry Foucu <tfoucu@gmail.com>
Date: Wed, 25 Jan 2012 15:46:14 -0800
Subject: [PATCH] Fix a heap-buffer-overflow

In some case, what left to read from ptr is smaller than EXTRABYTES.

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/mpegaudiodec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/mpegaudiodec.c b/libavcodec/mpegaudiodec.c
index 51b197081c..f9764335b3 100644
--- a/libavcodec/mpegaudiodec.c
+++ b/libavcodec/mpegaudiodec.c
@@ -1385,7 +1385,8 @@ static int mp_decode_layer3(MPADecodeContext *s)
         av_dlog(s->avctx, "seekback: %d\n", main_data_begin);
     //av_log(NULL, AV_LOG_ERROR, "backstep:%d, lastbuf:%d\n", main_data_begin, s->last_buf_size);
 
-        memcpy(s->last_buf + s->last_buf_size, ptr, EXTRABYTES);
+        memcpy(s->last_buf + s->last_buf_size, ptr,
+               FFMIN(EXTRABYTES, (s->gb.size_in_bits - get_bits_count(&s->gb))>>3));
         s->in_gb = s->gb;
         init_get_bits(&s->gb, s->last_buf, s->last_buf_size*8);
 #if !UNCHECKED_BITSTREAM_READER