webp: fix infinite loop in webp_decode_frame

The loop always needs at least 8 bytes for chunk_type and chunk_size. If fewer are left, bytestream2_get_le32 just returns 0 without reading any bytes, leading to an infinite loop. Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 0762152f7af6cd93bc8f504d5503723500c3f369) Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> (cherry picked from commit 762a5878a6b0bef923ef97c15fdb8274a0351278) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Andreas Cadhalpun <andreas.cadhalpun@googlemail.com> 2015-07-02 23:45:46 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2015-07-23 01:37:17 +0200
commit: 3c96f21d6e9de6832a59645273e94dfd65126d2d (patch)
tree: c1a1c7537a2127c326a205bd273fc7d87ba28a1d
parent: e812220a304de49abe2a9553692dfd487ec9a888 (diff)
download: ffmpeg-3c96f21d6e9de6832a59645273e94dfd65126d2d.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/webp.c b/libavcodec/webp.c
index 47e9e9e662..723a84769b 100644
--- a/libavcodec/webp.c
+++ b/libavcodec/webp.c
@@ -1387,7 +1387,7 @@ static int webp_decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
     }
 
     av_dict_free(&s->exif_metadata);
-    while (bytestream2_get_bytes_left(&gb) > 0) {
+    while (bytestream2_get_bytes_left(&gb) > 8) {
         char chunk_str[5] = { 0 };
 
         chunk_type = bytestream2_get_le32(&gb);
author	Andreas Cadhalpun <andreas.cadhalpun@googlemail.com>	2015-07-02 23:45:46 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2015-07-23 01:37:17 +0200
commit	3c96f21d6e9de6832a59645273e94dfd65126d2d (patch)
tree	c1a1c7537a2127c326a205bd273fc7d87ba28a1d
parent	e812220a304de49abe2a9553692dfd487ec9a888 (diff)
download	ffmpeg-3c96f21d6e9de6832a59645273e94dfd65126d2d.tar.gz