From 4c0080b7e7d501e2720d2a61f5186a18377f9d63 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Wed, 6 Mar 2013 10:02:50 +0100
Subject: [PATCH 1/3] wmaprodec: return an error, not 0, when the input is too
 small.

Returning 0 may result in an infinite loop in valid calling programs. A
decoder should never return 0 without producing any output.

CC:libav-stable@libav.org
---
 libavcodec/wmaprodec.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/wmaprodec.c b/libavcodec/wmaprodec.c
index d906f900f4..56bb83ce27 100644
--- a/libavcodec/wmaprodec.c
+++ b/libavcodec/wmaprodec.c
@@ -1502,8 +1502,11 @@ static int decode_packet(AVCodecContext *avctx, void *data,
         s->packet_done = 0;
 
         /** sanity check for the buffer length */
-        if (buf_size < avctx->block_align)
-            return 0;
+        if (buf_size < avctx->block_align) {
+            av_log(avctx, AV_LOG_ERROR, "Input packet too small (%d < %d)\n",
+                   buf_size, avctx->block_align);
+            return AVERROR_INVALIDDATA;
+        }
 
         s->next_packet_start = buf_size - avctx->block_align;
         buf_size = avctx->block_align;

From f86d66bcfa48998b0727aa0d1089a30cbeae0933 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Wed, 6 Mar 2013 10:42:51 +0100
Subject: [PATCH 2/3] vmdaudio: fix invalid reads when packet size is not a
 multiple of chunk size

CC:libav-stable@libav.org
---
 libavcodec/vmdav.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/vmdav.c b/libavcodec/vmdav.c
index b5b5524919..8c6c7d5da4 100644
--- a/libavcodec/vmdav.c
+++ b/libavcodec/vmdav.c
@@ -627,7 +627,7 @@ static int vmdaudio_decode_frame(AVCodecContext *avctx, void *data,
     /* decode audio chunks */
     if (audio_chunks > 0) {
         buf_end = buf + buf_size;
-        while (buf < buf_end) {
+        while (buf + s->chunk_size <= buf_end) {
             if (s->out_bps == 2) {
                 decode_audio_s16(output_samples_s16, buf, s->chunk_size,
                                  avctx->channels);

From 19dd4017ab6dac11c77d797acebee4f60ad63a6f Mon Sep 17 00:00:00 2001
From: Yusuke Nakamura <muken.the.vfrmaniac@gmail.com>
Date: Fri, 8 Mar 2013 16:51:55 +0900
Subject: [PATCH 3/3] libopencore-amr: Add the missing 3rd argument of
 ff_get_buffer()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Martin Storsjö <martin@martin.st>
---
 libavcodec/libopencore-amr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/libopencore-amr.c b/libavcodec/libopencore-amr.c
index 23efa6ca0b..71a0edbfdf 100644
--- a/libavcodec/libopencore-amr.c
+++ b/libavcodec/libopencore-amr.c
@@ -344,7 +344,7 @@ static int amr_wb_decode_frame(AVCodecContext *avctx, void *data,
 
     /* get output buffer */
     frame->nb_samples = 320;
-    if ((ret = ff_get_buffer(avctx, frame)) < 0) {
+    if ((ret = ff_get_buffer(avctx, frame, 0)) < 0) {
         av_log(avctx, AV_LOG_ERROR, "get_buffer() failed\n");
         return ret;
     }