ape_decode_value_3900: check tmpk

Fixes division by 0

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer 2013-05-02 16:45:06 +02:00
parent 49ec4c7e49
commit 8937230719

View File

@ -518,9 +518,13 @@ static inline int ape_decode_value_3900(APEContext *ctx, APERice *rice)
} else } else
tmpk = (rice->k < 1) ? 0 : rice->k - 1; tmpk = (rice->k < 1) ? 0 : rice->k - 1;
if (tmpk <= 16 || ctx->fileversion < 3910) if (tmpk <= 16 || ctx->fileversion < 3910) {
if (tmpk > 23) {
av_log(ctx->avctx, AV_LOG_ERROR, "Too many bits: %d\n", tmpk);
return AVERROR_INVALIDDATA;
}
x = range_decode_bits(ctx, tmpk); x = range_decode_bits(ctx, tmpk);
else if (tmpk <= 32) { } else if (tmpk <= 32) {
x = range_decode_bits(ctx, 16); x = range_decode_bits(ctx, 16);
x |= (range_decode_bits(ctx, tmpk - 16) << 16); x |= (range_decode_bits(ctx, tmpk - 16) << 16);
} else { } else {