pngdec: Stop trying to decode once inflate returns Z_STREAM_END
authorMartin Storsjö <martin@martin.st>
Sat, 28 Sep 2013 21:12:04 +0000 (00:12 +0300)
committerLuca Barbato <lu_zero@gentoo.org>
Tue, 7 Jan 2014 08:43:57 +0000 (09:43 +0100)
If the input buffer contains more data after the deflate stream,
the loop previously left running infinitely, with inflate returning
Z_STREAM_END.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
(cherry picked from commit a81cad8f86d1feb7e4bfae29e43f3e994935a5c7)
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
(cherry picked from commit a63e83cd4b43c3dcef38f7fefe41c002a263af0f)

libavcodec/pngdec.c

index ac98f70..22f154e 100644 (file)
@@ -377,6 +377,10 @@ static int png_decode_idat(PNGDecContext *s, int length)
             s->zstream.avail_out = s->crow_size;
             s->zstream.next_out = s->crow_buf;
         }
+        if (ret == Z_STREAM_END && s->zstream.avail_in > 0) {
+            av_log(NULL, AV_LOG_WARNING, "%d undecompressed bytes left in buffer\n", s->zstream.avail_in);
+            return 0;
+        }
     }
     return 0;
 }