flac: fix infinite loops on all-zero input or end-of-stream.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org

flac: fix infinite loops on all-zero input or end-of-stream.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
52e4018b · Ronald S. Bultje · b4027d97 · 52e4018b · 52e4018b
Commit 52e4018b authored Feb 15, 2012 by Ronald S. Bultje
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 1 deletion

flacdec.c libavcodec/flacdec.c +9 -0

golomb.h libavcodec/golomb.h +1 -1

No files found.
--- a/libavcodec/flacdec.c
+++ b/libavcodec/flacdec.c
@@ -422,7 +422,16 @@ static inline int decode_subframe(FLACContext *s, int channel)
    type = get_bits(&s->gb, 6);

    if (get_bits1(&s->gb)) {
+        int left = get_bits_left(&s->gb);
        wasted = 1;
+        if ( left < 0 ||
+            (left < s->curr_bps && !show_bits_long(&s->gb, left)) ||
+                                   !show_bits_long(&s->gb, s->curr_bps)) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "Invalid number of wasted bits > available bits (%d) - left=%d\n",
+                   s->curr_bps, left);
+            return AVERROR_INVALIDDATA;
+        }
        while (!get_bits1(&s->gb))
            wasted++;
        s->curr_bps -= wasted;

--- a/libavcodec/golomb.h
+++ b/libavcodec/golomb.h
@@ -301,7 +301,7 @@ static inline int get_ur_golomb_jpegls(GetBitContext *gb, int k, int limit, int
        return buf;
    }else{
        int i;
-        for(i=0; SHOW_UBITS(re, gb, 1) == 0; i++){
+        for (i = 0; i < limit && SHOW_UBITS(re, gb, 1) == 0; i++) {
            LAST_SKIP_BITS(re, gb, 1);
            UPDATE_CACHE(re, gb);
        }