From 77760ff64e9d188df6a3704f22cbdb1fbb2421b8 Mon Sep 17 00:00:00 2001
From: uau <uau@b3059339-0415-0410-9bf9-f77b7e298cf2>
Date: Mon, 14 Aug 2006 17:37:47 +0000
Subject: [PATCH] Fix buffer size sanity check to match what is actually
 required.

git-svn-id: svn://svn.mplayerhq.hu/mplayer/trunk@19398 b3059339-0415-0410-9bf9-f77b7e298cf2
---
 libmpcodecs/dec_audio.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libmpcodecs/dec_audio.c b/libmpcodecs/dec_audio.c
index d5601ae5c3..91f4679033 100644
--- a/libmpcodecs/dec_audio.c
+++ b/libmpcodecs/dec_audio.c
@@ -374,7 +374,12 @@ int decode_audio(sh_audio_t *sh_audio,unsigned char *buf,int minlen,int maxlen)
       mp_msg(MSGT_DECAUDIO,MSGL_DBG2,"decaudio: decoding %d bytes, max: %d (%d)\n",
         len, maxlen, sh_audio->audio_out_minsize);
 
-      if(maxlen<sh_audio->audio_out_minsize) break; // don't overflow buffer!
+      // When a decoder sets audio_out_minsize that should guarantee it can
+      // write up to audio_out_minsize bytes at a time until total >= minlen
+      // without checking maxlen. Thus maxlen must be at least minlen +
+      // audio_out_minsize. Check that to guard against buffer overflows.
+      if (maxlen < len + sh_audio->audio_out_minsize)
+	  break;
       // not enough decoded data waiting, decode 'len' bytes more:
       len=mpadec->decode_audio(sh_audio,
           sh_audio->a_buffer+sh_audio->a_buffer_len, len, maxlen);