From e20ebe491c17388a312e04ff060c217ecfafc914 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 27 Apr 2014 06:03:32 +0200
Subject: [PATCH] avcodec/shorten: check bitshift

Fixes invalid shift
Fixes CID1194400

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/shorten.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 8b91ed3645..5c4bf816b9 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -505,9 +505,16 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
                 while (len--)
                     get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE);
                 break;
-            case FN_BITSHIFT:
-                s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE);
+            case FN_BITSHIFT: {
+                unsigned bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE);
+                if (bitshift > 31) {
+                    av_log(avctx, AV_LOG_ERROR, "bitshift %d is invalid\n",
+                           bitshift);
+                    return AVERROR_PATCHWELCOME;
+                }
+                s->bitshift = bitshift;
                 break;
+            }
             case FN_BLOCKSIZE: {
                 unsigned blocksize = get_uint(s, av_log2(s->blocksize));
                 if (blocksize > s->blocksize) {