Browse code
Return an error when the parsed mpc chunk size is negative, otherwise we might end up in an endless loop where the same chunk is parsed over and over. Fixes a hang near the end for http://samples.mplayerhq.hu/A-codecs/musepack/sv8/sv8-tags.mpc
Originally committed as revision 20099 to svn://svn.ffmpeg.org/ffmpeg/trunk
Reimar Döffinger authored on 2009/09/30 22:35:13Showing 1 changed files
| ... | ... |
@@ -250,6 +250,8 @@ static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt) |
| 250 | 250 |
while(!url_feof(s->pb)){
|
| 251 | 251 |
pos = url_ftell(s->pb); |
| 252 | 252 |
mpc8_get_chunk_header(s->pb, &tag, &size); |
| 253 |
+ if (size < 0) |
|
| 254 |
+ return -1; |
|
| 253 | 255 |
if(tag == TAG_AUDIOPACKET){
|
| 254 | 256 |
if(av_get_packet(s->pb, pkt, size) < 0) |
| 255 | 257 |
return AVERROR(ENOMEM); |