flac: fix infinite loops on all-zero input or end-of-stream.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
author: Ronald S. Bultje <rsbultje@gmail.com> 2012-02-15 09:52:11 -0800
committer: Ronald S. Bultje <rsbultje@gmail.com> 2012-02-16 17:08:29 -0800
commit: 52e4018be47697a60f4f18f83551766df31f5adf (patch)
tree: bdf50e94f4a6e75037256f58ea2ae6cd7358b6f9 /libavcodec/flacdec.c
parent: b4027d97498af67313bded746b3da38915e155f5 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/libavcodec/flacdec.c b/libavcodec/flacdec.c
index 2b7f7eeb9e..7454d8b7f7 100644
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -422,7 +422,16 @@ static inline int decode_subframe(FLACContext *s, int channel)
     type = get_bits(&s->gb, 6);
 
     if (get_bits1(&s->gb)) {
+        int left = get_bits_left(&s->gb);
         wasted = 1;
+        if ( left < 0 ||
+            (left < s->curr_bps && !show_bits_long(&s->gb, left)) ||
+                                   !show_bits_long(&s->gb, s->curr_bps)) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "Invalid number of wasted bits > available bits (%d) - left=%d\n",
+                   s->curr_bps, left);
+            return AVERROR_INVALIDDATA;
+        }
         while (!get_bits1(&s->gb))
             wasted++;
         s->curr_bps -= wasted;
author	Ronald S. Bultje <rsbultje@gmail.com>	2012-02-15 09:52:11 -0800
committer	Ronald S. Bultje <rsbultje@gmail.com>	2012-02-16 17:08:29 -0800
commit	52e4018be47697a60f4f18f83551766df31f5adf (patch)
tree	bdf50e94f4a6e75037256f58ea2ae6cd7358b6f9 /libavcodec/flacdec.c
parent	b4027d97498af67313bded746b3da38915e155f5 (diff)