From 91e6a64d2ea62edbe1178a65a2376e605f6988d5 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Sun, 1 Jan 2017 22:42:44 +0100
Subject: [PATCH] wmavoice: truncate spillover_nbits if too large

This fixes triggering the av_assert0(ret <= tmp.size).

The problem was reintroduced by commit
7b27dd5c16de785297ce4de4b88afa0b6685f61d and originally fixed by
2a4700a4f03280fa8ba4fc0f8a9987bb550f0d1e.

Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavcodec/wmavoice.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/wmavoice.c b/libavcodec/wmavoice.c
index cd5958c7bc2..c310b19a70f 100644
--- a/libavcodec/wmavoice.c
+++ b/libavcodec/wmavoice.c
@@ -1923,6 +1923,9 @@ static int wmavoice_decode_packet(AVCodecContext *ctx, void *data,
          * continuing to parse new superframes in the current packet. */
         if (s->sframe_cache_size > 0) {
             int cnt = get_bits_count(gb);
+            if (cnt + s->spillover_nbits > avpkt->size * 8) {
+                s->spillover_nbits = avpkt->size * 8 - cnt;
+            }
             copy_bits(&s->pb, avpkt->data, size, gb, s->spillover_nbits);
             flush_put_bits(&s->pb);
             s->sframe_cache_size += s->spillover_nbits;
-- 
GitLab