From a81cad8f86d1feb7e4bfae29e43f3e994935a5c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Martin=20Storsj=C3=B6?= <martin@martin.st>
Date: Sun, 29 Sep 2013 00:12:04 +0300
Subject: [PATCH] pngdec: Stop trying to decode once inflate returns
 Z_STREAM_END
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If the input buffer contains more data after the deflate stream,
the loop previously left running infinitely, with inflate returning
Z_STREAM_END.

Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Signed-off-by: Martin Storsjö <martin@martin.st>
---
 libavcodec/pngdec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index ec44d56de82..8864e4a214f 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -378,6 +378,10 @@ static int png_decode_idat(PNGDecContext *s, int length)
             s->zstream.avail_out = s->crow_size;
             s->zstream.next_out  = s->crow_buf;
         }
+        if (ret == Z_STREAM_END && s->zstream.avail_in > 0) {
+            av_log(NULL, AV_LOG_WARNING, "%d undecompressed bytes left in buffer\n", s->zstream.avail_in);
+            return 0;
+        }
     }
     return 0;
 }
-- 
GitLab