Return an error when the parsed mpc chunk size is negative, otherwise we

might end up in an endless loop where the same chunk is parsed over and over.
Fixes a hang near the end for http://samples.mplayerhq.hu/A-codecs/musepack/sv8/sv8-tags.mpc

Originally committed as revision 20099 to svn://svn.ffmpeg.org/ffmpeg/trunk

diff --git a/libavformat/mpc8.c b/libavformat/mpc8.c
index 51817f1..85cbb41 100644 (file)
--- a/libavformat/mpc8.c
+++ b/libavformat/mpc8.c
@@ -250,6 +250,8 @@ static int mpc8_read_packet(AVFormatContext *s, AVPacket *pkt)
     while(!url_feof(s->pb)){
         pos = url_ftell(s->pb);
         mpc8_get_chunk_header(s->pb, &tag, &size);
+        if (size < 0)
+            return -1;
         if(tag == TAG_AUDIOPACKET){
             if(av_get_packet(s->pb, pkt, size) < 0)
                 return AVERROR(ENOMEM);