diff options
| author | Michael Niedermayer <michaelni@gmx.at> | 2013-05-02 16:45:06 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michaelni@gmx.at> | 2013-05-02 16:45:32 +0200 |
| commit | 8937230719ad7039ff908793f3bb2111e26e4edc (patch) | |
| tree | 640a23913adea2b822bd5db2b7f7f5e99ae4558a /libavcodec/apedec.c | |
| parent | 49ec4c7e49a4fe309d85a2e85a21ee526fc162c8 (diff) | |
| download | ffmpeg-8937230719ad7039ff908793f3bb2111e26e4edc.tar.gz | |
ape_decode_value_3900: check tmpk
Fixes division by 0
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/apedec.c')
| -rw-r--r-- | libavcodec/apedec.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c index af5ac6feb9..be6edd2f46 100644 --- a/libavcodec/apedec.c +++ b/libavcodec/apedec.c @@ -518,9 +518,13 @@ static inline int ape_decode_value_3900(APEContext *ctx, APERice *rice) } else tmpk = (rice->k < 1) ? 0 : rice->k - 1; - if (tmpk <= 16 || ctx->fileversion < 3910) + if (tmpk <= 16 || ctx->fileversion < 3910) { + if (tmpk > 23) { + av_log(ctx->avctx, AV_LOG_ERROR, "Too many bits: %d\n", tmpk); + return AVERROR_INVALIDDATA; + } x = range_decode_bits(ctx, tmpk); - else if (tmpk <= 32) { + } else if (tmpk <= 32) { x = range_decode_bits(ctx, 16); x |= (range_decode_bits(ctx, tmpk - 16) << 16); } else { |