From aca7f5f0607789b26b1b5d0c2dbe3ae39a229806 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Sun, 30 Oct 2016 21:18:20 +0100
Subject: [PATCH] interplayacm: increase bitstream buffer size by
 AV_INPUT_BUFFER_PADDING_SIZE

This fixes out-of-bounds reads by the bitstream reader.

Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit 60178e78f2fe9a7bfb9da0abc985835e2ebfd2f1)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavcodec/interplayacm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/interplayacm.c b/libavcodec/interplayacm.c
index 14cad09cff..8b340093df 100644
--- a/libavcodec/interplayacm.c
+++ b/libavcodec/interplayacm.c
@@ -76,7 +76,7 @@ static av_cold int decode_init(AVCodecContext *avctx)
     s->block   = av_calloc(s->block_len, sizeof(int));
     s->wrapbuf = av_calloc(s->wrapbuf_len, sizeof(int));
     s->ampbuf  = av_calloc(0x10000, sizeof(int));
-    s->bitstream = av_calloc(s->max_framesize, sizeof(*s->bitstream));
+    s->bitstream = av_calloc(s->max_framesize + AV_INPUT_BUFFER_PADDING_SIZE / sizeof(*s->bitstream) + 1, sizeof(*s->bitstream));
     if (!s->block || !s->wrapbuf || !s->ampbuf || !s->bitstream)
         return AVERROR(ENOMEM);