nutdec: abort if EOF is reached in decode_info_header/read_sm_datan2.5.7

These loops can take a lot of time if count is very large.

Reviewed-by: Michael Niedermayer <michaelni@gmx.at>
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
(cherry picked from commit bb23a15df507440deb0dcf25099d321d0f73dc28)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 12 insertions, 4 deletions

diff --git a/libavformat/nutdec.c b/libavformat/nutdec.c
index 62c270dca0..f5fd5b5447 100644
--- a/libavformat/nutdec.c
+++ b/libavformat/nutdec.c
@@ -492,7 +492,7 @@ static int decode_info_header(NUTContext *nut)
     AVIOContext *bc    = s->pb;
     uint64_t tmp, chapter_start, chapter_len;
     unsigned int stream_id_plus1, count;
-    int chapter_id, i;
+    int chapter_id, i, ret;
     int64_t value, end;
     char name[256], str_value[1024], type_str[256];
     const char *type;
@@ -534,7 +534,11 @@ static int decode_info_header(NUTContext *nut)
     }
 
     for (i = 0; i < count; i++) {
-        get_str(bc, name, sizeof(name));
+        ret = get_str(bc, name, sizeof(name));
+        if (ret < 0) {
+            av_log(s, AV_LOG_ERROR, "get_str failed while decoding info header\n");
+            return ret;
+        }
         value = get_s(bc);
         str_value[0] = 0;
 
@@ -845,14 +849,18 @@ static int read_sm_data(AVFormatContext *s, AVIOContext *bc, AVPacket *pkt, int
     int sample_rate = 0;
     int width = 0;
     int height = 0;
-    int i;
+    int i, ret;
 
     for (i=0; i<count; i++) {
         uint8_t name[256], str_value[256], type_str[256];
         int value;
         if (avio_tell(bc) >= maxpos)
             return AVERROR_INVALIDDATA;
-        get_str(bc, name, sizeof(name));
+        ret = get_str(bc, name, sizeof(name));
+        if (ret < 0) {
+            av_log(s, AV_LOG_ERROR, "get_str failed while reading sm data\n");
+            return ret;
+        }
         value = get_s(bc);
 
         if (value == -1) {