Fix input buffer size check in adpcm_ea decoder.

Unfortunately the output buffer size check assumes that the
input buffer is never over-consumed, thus this actually
also allowed to write outside the output buffer if "lucky".

diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index 826c5886767aaf2d628c4ab8882869388693b0e6..6252dbcb6a491022c566f3e913e0b74a1545ec72 100644 (file)
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1291,7 +1291,7 @@ static int adpcm_decode_frame(AVCodecContext *avctx,
         }
         break;
     case CODEC_ID_ADPCM_EA:
-        if (buf_size < 4 || AV_RL32(src) >= ((buf_size - 12) * 2)) {
+        if (buf_size < 12 || AV_RL32(src) > (buf_size - 12)/30*28) {
             src += buf_size;
             break;
         }