@@ -1166,6 +1166,7 @@ static int decode_subframe(WMAProDecodeCtx *s)

             transmit_coeffs = 1;

     }

+    av_assert0(s->subframe_len <= WMAPRO_BLOCK_MAX_SIZE);

     if (transmit_coeffs) {

         int step;

         int quant_step = 90 * s->bits_per_sample >> 4;

@@ -1176,7 +1177,7 @@ static int decode_subframe(WMAProDecodeCtx *s)

             for (i = 0; i < s->channels_for_cur_subframe; i++) {

                 int c = s->channel_indexes_for_cur_subframe[i];

                 int num_vec_coeffs = get_bits(&s->gb, num_bits) << 2;

-                if (num_vec_coeffs > WMAPRO_BLOCK_MAX_SIZE) {

+                if (num_vec_coeffs > s->subframe_len) {

                     av_log(s->avctx, AV_LOG_ERROR, "num_vec_coeffs %d is too large\n", num_vec_coeffs);

                     return AVERROR_INVALIDDATA;

                 }