From b00fb157bae79f9735910064585fd95b8c123003 Mon Sep 17 00:00:00 2001
From: Paul B Mahol <onemda@gmail.com>
Date: Sun, 22 Sep 2013 17:22:51 +0000
Subject: [PATCH] avcodec/sgirledec: fix infinite loop in decode_sgirle8()

Fixes #2985.
Reported-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Paul B Mahol <onemda@gmail.com>
---
 libavcodec/sgirledec.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/sgirledec.c b/libavcodec/sgirledec.c
index af149d14e9..6cdc8d6883 100644
--- a/libavcodec/sgirledec.c
+++ b/libavcodec/sgirledec.c
@@ -82,6 +82,8 @@ static int decode_sgirle8(AVCodecContext *avctx, uint8_t *dst, const uint8_t *sr
         if (v > 0 && v < 0xC0) {
             do {
                 int length = FFMIN(v, width - x);
+                if (length <= 0)
+                    break;
                 memset(dst + y*linesize + x, RGB332_TO_BGR8(*src), length);
                 INC_XY(length);
                 v   -= length;
@@ -91,7 +93,7 @@ static int decode_sgirle8(AVCodecContext *avctx, uint8_t *dst, const uint8_t *sr
             v -= 0xC0;
             do {
                 int length = FFMIN3(v, width - x, src_end - src);
-                if (src_end - src < length)
+                if (src_end - src < length || length <= 0)
                     break;
                 memcpy_rgb332_to_bgr8(dst + y*linesize + x, src, length);
                 INC_XY(length);