diff -u opus-0.9.14+20120615/debian/changelog opus-0.9.14+20120615/debian/changelog
--- opus-0.9.14+20120615/debian/changelog
+++ opus-0.9.14+20120615/debian/changelog
@@ -1,3 +1,10 @@
+opus (0.9.14+20120615-1+nmu1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix cve-2013-0899: integer overflow in src/opus_decoder.c (closes: #704870).
+
+ -- Michael Gilbert <mgilbert@debian.org>  Fri, 12 Apr 2013 01:40:52 +0000
+
 opus (0.9.14+20120615-1) unstable; urgency=low
 
   * Add extern "C" protection to opus_multistream.h.
only in patch2:
unchanged:
--- opus-0.9.14+20120615.orig/src/opus_decoder.c
+++ opus-0.9.14+20120615/src/opus_decoder.c
@@ -596,16 +596,14 @@
       /* Padding flag is bit 6 */
       if (ch&0x40)
       {
-         int padding=0;
          int p;
          do {
             if (len<=0)
                return OPUS_INVALID_PACKET;
             p = *data++;
             len--;
-            padding += p==255 ? 254: p;
+            len -= p==255 ? 254: p;
          } while (p==255);
-         len -= padding;
       }
       if (len<0)
          return OPUS_INVALID_PACKET;
