avcodec/flicvideo: fix infinite loops

Fixes #2995. Reported-by: Piotr Bandurski <ami_stuff@o2.pl> Signed-off-by: Paul B Mahol <onemda@gmail.com>
author: Paul B Mahol <onemda@gmail.com> 2013-09-25 19:35:06 +0000
committer: Paul B Mahol <onemda@gmail.com> 2013-09-25 19:45:49 +0000
commit: f5498ef38daa541f03b9c8d3985579394c8407e5 (patch)
tree: 7470f964e5c836c2e1247f84a4557e9c3bc41ded /libavcodec/flicvideo.c
parent: c99d27287d9bcf3cd17b27c81d4171accae5991b (diff)
download: ffmpeg-f5498ef38daa541f03b9c8d3985579394c8407e5.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/libavcodec/flicvideo.c b/libavcodec/flicvideo.c
index a2f9ef99e5..c4bc1a2e24 100644
--- a/libavcodec/flicvideo.c
+++ b/libavcodec/flicvideo.c
@@ -202,7 +202,8 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
     frame_size -= 16;
 
     /* iterate through the chunks */
-    while ((frame_size >= 6) && (num_chunks > 0)) {
+    while ((frame_size >= 6) && (num_chunks > 0) &&
+            bytestream2_get_bytes_left(&g2) >= 4) {
         int stream_ptr_after_chunk;
         chunk_size = bytestream2_get_le32(&g2);
         if (chunk_size > frame_size) {
@@ -519,7 +520,8 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
     frame_size -= 16;
 
     /* iterate through the chunks */
-    while ((frame_size > 0) && (num_chunks > 0)) {
+    while ((frame_size > 0) && (num_chunks > 0) &&
+            bytestream2_get_bytes_left(&g2) >= 4) {
         int stream_ptr_after_chunk;
         chunk_size = bytestream2_get_le32(&g2);
         if (chunk_size > frame_size) {
author	Paul B Mahol <onemda@gmail.com>	2013-09-25 19:35:06 +0000
committer	Paul B Mahol <onemda@gmail.com>	2013-09-25 19:45:49 +0000
commit	f5498ef38daa541f03b9c8d3985579394c8407e5 (patch)
tree	7470f964e5c836c2e1247f84a4557e9c3bc41ded /libavcodec/flicvideo.c
parent	c99d27287d9bcf3cd17b27c81d4171accae5991b (diff)
download	ffmpeg-f5498ef38daa541f03b9c8d3985579394c8407e5.tar.gz