avcodec/shorten: check bitshift
authorMichael Niedermayer <michaelni@gmx.at>
Sun, 27 Apr 2014 04:03:32 +0000 (06:03 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Sun, 27 Apr 2014 11:03:28 +0000 (13:03 +0200)
Fixes invalid shift
Fixes CID1194400

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/shorten.c

index 8b91ed3..5c4bf81 100644 (file)
@@ -505,9 +505,16 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
                 while (len--)
                     get_ur_golomb_shorten(&s->gb, VERBATIM_BYTE_SIZE);
                 break;
-            case FN_BITSHIFT:
-                s->bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE);
+            case FN_BITSHIFT: {
+                unsigned bitshift = get_ur_golomb_shorten(&s->gb, BITSHIFTSIZE);
+                if (bitshift > 31) {
+                    av_log(avctx, AV_LOG_ERROR, "bitshift %d is invalid\n",
+                           bitshift);
+                    return AVERROR_PATCHWELCOME;
+                }
+                s->bitshift = bitshift;
                 break;
+            }
             case FN_BLOCKSIZE: {
                 unsigned blocksize = get_uint(s, av_log2(s->blocksize));
                 if (blocksize > s->blocksize) {