[FFmpeg-cvslog] webp: fix infinite loop in webp_decode_frame

Andreas Cadhalpun git at videolan.org
Thu Jul 23 02:17:07 CEST 2015


ffmpeg | branch: release/2.6 | Andreas Cadhalpun <andreas.cadhalpun at googlemail.com> | Thu Jul  2 23:45:46 2015 +0200| [3c96f21d6e9de6832a59645273e94dfd65126d2d] | committer: Michael Niedermayer

webp: fix infinite loop in webp_decode_frame

The loop always needs at least 8 bytes for chunk_type and chunk_size.
If fewer are left, bytestream2_get_le32 just returns 0 without
reading any bytes, leading to an infinite loop.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 0762152f7af6cd93bc8f504d5503723500c3f369)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
(cherry picked from commit 762a5878a6b0bef923ef97c15fdb8274a0351278)

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3c96f21d6e9de6832a59645273e94dfd65126d2d
---

 libavcodec/webp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/webp.c b/libavcodec/webp.c
index 47e9e9e..723a847 100644
--- a/libavcodec/webp.c
+++ b/libavcodec/webp.c
@@ -1387,7 +1387,7 @@ static int webp_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     }
 
     av_dict_free(&s->exif_metadata);
-    while (bytestream2_get_bytes_left(&gb) > 0) {
+    while (bytestream2_get_bytes_left(&gb) > 8) {
         char chunk_str[5] = { 0 };
 
         chunk_type = bytestream2_get_le32(&gb);



More information about the ffmpeg-cvslog mailing list