[FFmpeg-devel] [PATCH] mpc demuxer: return -1 on negative tag size instead of an endless loop

[Reimar Döffinger]

Hello,
playing http://samples.mplayerhq.hu/A-codecs/musepack/sv8/sv8-tags.mpc
hangs near the end forever.
This is because size is negative at the end, causing the loop to parse
the same tag over and over forever.
Probably the code should also be extended to handle the file properly,
but either way an endless loop should be made impossible, e.g. like
this:
Index: libavformat/mpc8.c
===================================================================
--- libavformat/mpc8.c  (revision 20091)
+++ libavformat/mpc8.c  (working copy)
@@ -250,6 +250,8 @@
     while(!url_feof(s->pb)){
         pos = url_ftell(s->pb);
         mpc8_get_chunk_header(s->pb, &tag, &size);
+        if (size < 0)
+            return -1;
         if(tag == TAG_AUDIOPACKET){
             if(av_get_packet(s->pb, pkt, size) < 0)
                 return AVERROR(ENOMEM);