huffyuv: error out on bit overrun.
authorRonald S. Bultje <rsbultje@gmail.com>
Fri, 17 Feb 2012 23:00:47 +0000 (15:00 -0800)
committerRonald S. Bultje <rsbultje@gmail.com>
Fri, 17 Feb 2012 23:23:20 +0000 (15:23 -0800)
On EOF, get_bits() will continuously return 0, causing an infinite
loop.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
libavcodec/huffyuv.c

index ebbfc45..0c5f6be 100644 (file)
@@ -184,7 +184,7 @@ static int read_len_table(uint8_t *dst, GetBitContext *gb){
         if(repeat==0)
             repeat= get_bits(gb, 8);
 //printf("%d %d\n", val, repeat);
-        if(i+repeat > 256) {
+        if(i+repeat > 256 || get_bits_left(gb) < 0) {
             av_log(NULL, AV_LOG_ERROR, "Error reading huffman table\n");
             return -1;
         }