mjpegdec: parse RSTn to prevent skipping other data in mjpeg_decode_scan

Check explicitly if enough bits are left to prevent an infinite loop
when the bitstream buffer is not followed by zero-padding.

Based on patches by Michael Niedermayer <michaelni@gmx.at>.

libavcodec/mjpegdec.c

@@ -881,14 +881,22 @@ static int mjpeg_decode_scan(MJpegDecodeContext *s, int nb_components, int Ah, i
                 }
             }
 
-            if (s->restart_interval && show_bits(&s->gb, 8) == 0xFF){ /* skip RSTn */
-                --s->restart_count;
-                align_get_bits(&s->gb);
-                while(show_bits(&s->gb, 8) == 0xFF)
-                    skip_bits(&s->gb, 8);
-                skip_bits(&s->gb, 8);
-                for (i=0; i<nb_components; i++) /* reset dc */
-                    s->last_dc[i] = 1024;
+            if (s->restart_interval) {
+                s->restart_count--;
+                i = 8 + ((-get_bits_count(&s->gb)) & 7);
+                /* skip RSTn */
+                if (show_bits(&s->gb, i) == (1 << i) - 1) {
+                    int pos = get_bits_count(&s->gb);
+                    align_get_bits(&s->gb);
+                    while (get_bits_left(&s->gb) >= 8 && show_bits(&s->gb, 8) == 0xFF)
+                        skip_bits(&s->gb, 8);
+                    if ((get_bits(&s->gb, 8) & 0xF8) == 0xD0) {
+                        for (i = 0; i < nb_components; i++) /* reset dc */
+                            s->last_dc[i] = 1024;
+                    } else {
+                        skip_bits_long(&s->gb, pos - get_bits_count(&s->gb));
+                    }
+                }
             }
         }
     }