nutdec: fix illegal count check in decode_main_header
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Tue, 28 Apr 2015 20:37:19 +0000 (22:37 +0200)
committerAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Thu, 14 May 2015 17:08:38 +0000 (19:08 +0200)
commit2f290cf8815b66849334453273df64ed1d1b1bfe
tree88f8304fd644a23d9474887bf3151801f7fa8b7c
parent2523bdcd670260c41bd7af14fb00f055f1d01bcd
nutdec: fix illegal count check in decode_main_header

The existing check has two problems:
 1) i + count can overflow, so that the check '< 256' returns true.
 2) In the (i == 'N') case occurs a j-- so that the loop runs once more.

This can trigger the assertion 'nut->header_len[0] == 0' or cause
segmentation faults or infinite hangs.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c24ca1bda2d4df1dc9b2b982941be532d60da21)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
libavformat/nutdec.c