webp: fix infinite loop in webp_decode_frame
authorAndreas Cadhalpun <andreas.cadhalpun@googlemail.com>
Thu, 2 Jul 2015 21:45:46 +0000 (23:45 +0200)
committerAndreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Sun, 19 Jul 2015 08:00:07 +0000 (10:00 +0200)
The loop always needs at least 8 bytes for chunk_type and chunk_size.
If fewer are left, bytestream2_get_le32 just returns 0 without
reading any bytes, leading to an infinite loop.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 0762152f7af6cd93bc8f504d5503723500c3f369)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
libavcodec/webp.c

index 47e9e9e..723a847 100644 (file)
@@ -1387,7 +1387,7 @@ static int webp_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     }
 
     av_dict_free(&s->exif_metadata);
-    while (bytestream2_get_bytes_left(&gb) > 0) {
+    while (bytestream2_get_bytes_left(&gb) > 8) {
         char chunk_str[5] = { 0 };
 
         chunk_type = bytestream2_get_le32(&gb);