prevent infinite loop and memcpy of negative amounts

fixes issue194

Originally committed as revision 10726 to svn://svn.ffmpeg.org/ffmpeg/trunk

libavcodec/aac_parser.c

@@ -67,6 +67,9 @@ static int aac_sync(const uint8_t *buf, int *channels, int *sample_rate,
     skip_bits1(&bits);          /* copyright_identification_bit */
     skip_bits1(&bits);          /* copyright_identification_start */
     size = get_bits(&bits, 13); /* aac_frame_length */
+    if(size < AAC_HEADER_SIZE)
+        return 0;
+
     skip_bits(&bits, 11);       /* adts_buffer_fullness */
     rdb = get_bits(&bits, 2);   /* number_of_raw_data_blocks_in_frame */
 

libavcodec/ac3_parser.c

@@ -114,6 +114,9 @@ static int ac3_sync(const uint8_t *buf, int *channels, int *sample_rate,
             return 0;   /* Currently don't support additional streams */
 
         frmsiz = get_bits(&bits, 11) + 1;
+        if(frmsiz*2 < AC3_HEADER_SIZE)
+            return 0;
+
         fscod = get_bits(&bits, 2);
         if (fscod == 3) {
             fscod2 = get_bits(&bits, 2);