nutdec: fix illegal count check in decode_main_header
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Tue, 28 Apr 2015 20:37:19 +0000 (22:37 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Mon, 1 Jun 2015 21:25:21 +0000 (23:25 +0200)
commit35a0d4801f26a3f695ac5bd75f90ebea735ef86b
treedf3860480cb3c79b53d26ab01a062cd2e0a7654b
parente0ef1b8c0b21122850458d1c2c229d8bd852a74d
nutdec: fix illegal count check in decode_main_header

The existing check has two problems:
 1) i + count can overflow, so that the check '< 256' returns true.
 2) In the (i == 'N') case occurs a j-- so that the loop runs once more.

This can trigger the assertion 'nut->header_len[0] == 0' or cause
segmentation faults or infinite hangs.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7c24ca1bda2d4df1dc9b2b982941be532d60da21)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavformat/nutdec.c