avcodec/sgirledec: fix infinite loop in decode_sgirle8()

Fixes #2985. Reported-by: Piotr Bandurski <ami_stuff@o2.pl> Signed-off-by: Paul B Mahol <onemda@gmail.com>

avcodec/sgirledec: fix infinite loop in decode_sgirle8()
Fixes #2985. Reported-by: Piotr Bandurski <ami_stuff@o2.pl> Signed-off-by: Paul B Mahol <onemda@gmail.com>
b00fb157 · Paul B Mahol · 601eab2b · b00fb157
Commit b00fb157 authored Sep 22, 2013 by Paul B Mahol
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

sgirledec.c libavcodec/sgirledec.c +3 -1

No files found.
--- a/libavcodec/sgirledec.c
+++ b/libavcodec/sgirledec.c
@@ -82,6 +82,8 @@ static int decode_sgirle8(AVCodecContext *avctx, uint8_t *dst, const uint8_t *sr
        if (v > 0 && v < 0xC0) {
            do {
                int length = FFMIN(v, width - x);
+                if (length <= 0)
+                    break;
                memset(dst + y*linesize + x, RGB332_TO_BGR8(*src), length);
                INC_XY(length);
                v   -= length;
@@ -91,7 +93,7 @@ static int decode_sgirle8(AVCodecContext *avctx, uint8_t *dst, const uint8_t *sr
            v -= 0xC0;
            do {
                int length = FFMIN3(v, width - x, src_end - src);
-                if (src_end - src < length)
+                if (src_end - src < length || length <= 0)
                    break;
                memcpy_rgb332_to_bgr8(dst + y*linesize + x, src, length);
                INC_XY(length);