From a5546736bd8311cb04a9121b9500e2d3252bf487 Mon Sep 17 00:00:00 2001
From: Carl Eugen Hoyos <cehoyos@ag.or.at>
Date: Fri, 23 Dec 2011 11:38:37 +0100
Subject: [PATCH] Fix a possible endless loop when decoding aac.

Fixes ticket #789.
(cherry picked from commit e5de9289232c5b14572fa13e2435f9adb0b0f1ec)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/aacdec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/aacdec.c b/libavcodec/aacdec.c
index 2b2ae8a80d..806e1b52ea 100644
--- a/libavcodec/aacdec.c
+++ b/libavcodec/aacdec.c
@@ -819,10 +819,10 @@ static int decode_band_types(AACContext *ac, enum BandType band_type[120],
                 av_log(ac->avctx, AV_LOG_ERROR, "invalid band type\n");
                 return -1;
             }
-            while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1)
+            while ((sect_len_incr = get_bits(gb, bits)) == (1 << bits) - 1 && get_bits_left(gb) >= bits)
                 sect_end += sect_len_incr;
             sect_end += sect_len_incr;
-            if (get_bits_left(gb) < 0) {
+            if (get_bits_left(gb) < 0 || sect_len_incr == (1 << bits) - 1) {
                 av_log(ac->avctx, AV_LOG_ERROR, overread_err);
                 return -1;
             }