wmalosslessdec: Fix reading too many bits in decode_channel_residues()

Fixes a part of CVE-2012-2795 CC:libav-stable@libav.org Based on a patch by Michael Niedermayer <michaelni@gmx.at> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind

wmalosslessdec: Fix reading too many bits in decode_channel_residues()
Fixes a part of CVE-2012-2795 CC:libav-stable@libav.org Based on a patch by Michael Niedermayer <michaelni@gmx.at> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
6a99310f · Anton Khirnov · f48fbf2e · 6a99310f
Commit 6a99310f authored Sep 29, 2012 by Anton Khirnov
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

wmalosslessdec.c libavcodec/wmalosslessdec.c +1 -1

No files found.
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -520,7 +520,7 @@ static int decode_channel_residues(WmallDecodeCtx *s, int ch, int tile_size)
            residue = quo;
        else {
            rem_bits = av_ceil_log2(ave_mean);
-            rem      = rem_bits ? get_bits(&s->gb, rem_bits) : 0;
+            rem      = rem_bits ? get_bits_long(&s->gb, rem_bits) : 0;
            residue  = (quo << rem_bits) + rem;
        }