avcodec/rangecoder: Check e

Fixes hang.nut

Found-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b2955b6c5aed11026ec5c7164462899a10cdb937)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

2 files changed, 6 insertions, 1 deletions

diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 0302997fa1..85de676300 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -47,8 +47,11 @@ static inline av_flatten int get_symbol_inline(RangeCoder *c, uint8_t *state,
     else {
         int i, e, a;
         e = 0;
-        while (get_rac(c, state + 1 + FFMIN(e, 9))) // 1..10
+        while (get_rac(c, state + 1 + FFMIN(e, 9))) { // 1..10
             e++;
+            if (e > 31)
+                return AVERROR_INVALIDDATA;
+        }
 
         a = 1;
         for (i = e - 1; i >= 0; i--)
diff --git a/libavcodec/snow.h b/libavcodec/snow.h
index 447859f488..9da44fb65d 100644
--- a/libavcodec/snow.h
+++ b/libavcodec/snow.h
@@ -563,6 +563,8 @@ static inline int get_symbol(RangeCoder *c, uint8_t *state, int is_signed){
         e= 0;
         while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
             e++;
+            if (e > 31)
+                return AVERROR_INVALIDDATA;
         }
 
         a= 1;