[FFmpeg-cvslog] webp: fix infinite loop in webp_decode_frame
Andreas Cadhalpun
git at videolan.org
Thu Jul 23 02:17:07 CEST 2015
ffmpeg | branch: release/2.6 | Andreas Cadhalpun <andreas.cadhalpun at googlemail.com> | Thu Jul 2 23:45:46 2015 +0200| [3c96f21d6e9de6832a59645273e94dfd65126d2d] | committer: Michael Niedermayer
webp: fix infinite loop in webp_decode_frame
The loop always needs at least 8 bytes for chunk_type and chunk_size.
If fewer are left, bytestream2_get_le32 just returns 0 without
reading any bytes, leading to an infinite loop.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 0762152f7af6cd93bc8f504d5503723500c3f369)
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
(cherry picked from commit 762a5878a6b0bef923ef97c15fdb8274a0351278)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3c96f21d6e9de6832a59645273e94dfd65126d2d
---
libavcodec/webp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/webp.c b/libavcodec/webp.c
index 47e9e9e..723a847 100644
--- a/libavcodec/webp.c
+++ b/libavcodec/webp.c
@@ -1387,7 +1387,7 @@ static int webp_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
}
av_dict_free(&s->exif_metadata);
- while (bytestream2_get_bytes_left(&gb) > 0) {
+ while (bytestream2_get_bytes_left(&gb) > 8) {
char chunk_str[5] = { 0 };
chunk_type = bytestream2_get_le32(&gb);
More information about the ffmpeg-cvslog
mailing list