lavc/movtextdec.c: Avoid infinite loop on invalid data.
authorSasi Inguva <isasi-at-google.com@ffmpeg.org>
Wed, 28 Sep 2016 02:23:20 +0000 (19:23 -0700)
committerMichael Niedermayer <michael@niedermayer.cc>
Wed, 28 Sep 2016 09:12:20 +0000 (11:12 +0200)
Signed-off-by: Sasi Inguva <isasi@google.com>
(cherry picked from commit 7e9e1b7070242a79fa6e3acd749d7fe76e39ea7b)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/movtextdec.c

index 257d598..e7c3d49 100644 (file)
@@ -476,6 +476,10 @@ static int mov_text_decode_frame(AVCodecContext *avctx,
             tsmb_type = AV_RB32(tsmb);
             tsmb += 4;
 
+            if (tsmb_size == 0) {
+              return AVERROR_INVALIDDATA;
+            }
+
             if (tsmb_size == 1) {
                 if (m->tracksize + 16 > avpkt->size)
                     break;