From 8e9c39e81fe5ba34010a7ba05cbe4ae31f177d89 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Tue, 26 May 2015 14:24:35 +0100
Subject: mov: abort on EOF in ff_mov_read_chan

Otherwise the loop can take a lot of time if num_descr is very large.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Signed-off-by: Luca Barbato <lu_zero@gentoo.org>
---
 libavformat/mov_chan.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'libavformat/mov_chan.c')

diff --git a/libavformat/mov_chan.c b/libavformat/mov_chan.c
index 2c54920427..94b93cf39c 100644
--- a/libavformat/mov_chan.c
+++ b/libavformat/mov_chan.c
@@ -565,6 +565,11 @@ int ff_mov_read_chan(AVFormatContext *s, AVIOContext *pb, AVStream *st,
     label_mask = 0;
     for (i = 0; i < num_descr; i++) {
         uint32_t label;
+        if (pb->eof_reached) {
+            av_log(s, AV_LOG_ERROR,
+                   "reached EOF while reading channel layout\n");
+            return AVERROR_INVALIDDATA;
+        }
         label     = avio_rb32(pb);          // mChannelLabel
         avio_rb32(pb);                      // mChannelFlags
         avio_rl32(pb);                      // mCoordinates[0]
-- 
cgit v1.2.3