From 7b4367d93ea2a34baeab2c734630df5e0f11d4c1 Mon Sep 17 00:00:00 2001
From: James Zern <jzern@google.com>
Date: Fri, 16 Oct 2015 15:28:55 -0700
Subject: vp9_parser: fix endless loop w/0-sized frame

treat this the same as an over-sized superframe packet to break out of
the parser loop and allow the decoder to fail.

Reviewed-by: Ronald S. Bultje <rsbultje@gmail.com>
Signed-off-by: James Zern <jzern@google.com>
---
 libavcodec/vp9_parser.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'libavcodec/vp9_parser.c')

diff --git a/libavcodec/vp9_parser.c b/libavcodec/vp9_parser.c
index f1f7e350d2..0437097391 100644
--- a/libavcodec/vp9_parser.c
+++ b/libavcodec/vp9_parser.c
@@ -111,12 +111,12 @@ static int parse(AVCodecParserContext *ctx,
                 while (n_frames--) { \
                     unsigned sz = rd; \
                     idx += a; \
-                    if (sz > size) { \
+                    if (sz == 0 || sz > size) { \
                         s->n_frames = 0; \
                         *out_size = size; \
                         *out_data = data; \
                         av_log(avctx, AV_LOG_ERROR, \
-                               "Superframe packet size too big: %u > %d\n", \
+                               "Invalid superframe packet size: %u frame size: %d\n", \
                                sz, size); \
                         return full_size; \
                     } \
-- 
cgit v1.2.1