ape_decode_value_3900: check tmpk

Fixes division by 0 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

ape_decode_value_3900: check tmpk
Fixes division by 0 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
89372307 · Michael Niedermayer · 49ec4c7e · 89372307
Commit 89372307 authored May 02, 2013 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

apedec.c libavcodec/apedec.c +6 -2

No files found.
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -518,9 +518,13 @@ static inline int ape_decode_value_3900(APEContext *ctx, APERice *rice)
    } else
        tmpk = (rice->k < 1) ? 0 : rice->k - 1;

-    if (tmpk <= 16 || ctx->fileversion < 3910)
+    if (tmpk <= 16 || ctx->fileversion < 3910) {
+        if (tmpk > 23) {
+            av_log(ctx->avctx, AV_LOG_ERROR, "Too many bits: %d\n", tmpk);
+            return AVERROR_INVALIDDATA;
+        }
        x = range_decode_bits(ctx, tmpk);
-    else if (tmpk <= 32) {
+    } else if (tmpk <= 32) {
        x = range_decode_bits(ctx, 16);
        x |= (range_decode_bits(ctx, tmpk - 16) << 16);
    } else {