nutdec: fix illegal count check in decode_main_header
authorAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Tue, 28 Apr 2015 20:37:19 +0000 (22:37 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Tue, 28 Apr 2015 20:56:14 +0000 (22:56 +0200)
commit7c24ca1bda2d4df1dc9b2b982941be532d60da21
tree63bfdf80a0ae8e8cb598c6f1d1eacbca40474552
parent361702660d2c37a63b7d6381d39e1e1de8405260
nutdec: fix illegal count check in decode_main_header

The existing check has two problems:
 1) i + count can overflow, so that the check '< 256' returns true.
 2) In the (i == 'N') case occurs a j-- so that the loop runs once more.

This can trigger the assertion 'nut->header_len[0] == 0' or cause
segmentation faults or infinite hangs.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavformat/nutdec.c