cavsdec: check for value in get_ue_code()

Fixes integer overflow and prints an error in case the value is invalid. Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-01-24 21:55:12 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2013-01-24 21:55:12 +0100
commit: cf48b006400e34e1177d0ca22d1cdb5c900a199a (patch)
tree: 0a2ee20580d3548bbf40707ac5833fe9ab4d0f16 /libavcodec/cavsdec.c
parent: 77b740ac0ac4d6f7a011594ae116d5c85384bc68 (diff)
download: ffmpeg-cf48b006400e34e1177d0ca22d1cdb5c900a199a.tar.gz
1 files changed, 7 insertions, 3 deletions
diff --git a/libavcodec/cavsdec.c b/libavcodec/cavsdec.c
index 9450ed137f..fa60d6c0eb 100644
--- a/libavcodec/cavsdec.c
+++ b/libavcodec/cavsdec.c
@@ -510,11 +510,15 @@ static inline void mv_pred_sym(AVSContext *h, cavs_vector *src,
 /** kth-order exponential golomb code */
 static inline int get_ue_code(GetBitContext *gb, int order)
 {
+    unsigned ret = get_ue_golomb(gb);
+    if (ret >= ((1U<<31)>>order)) {
+        av_log(NULL, AV_LOG_ERROR, "get_ue_code: value too larger\n");
+        return AVERROR_INVALIDDATA;
+    }
     if (order) {
-        int ret = get_ue_golomb(gb) << order;
-        return ret + get_bits(gb, order);
+        return (ret<<order) + get_bits(gb, order);
     }
-    return get_ue_golomb(gb);
+    return ret;
 }
 
 static inline int dequant(AVSContext *h, int16_t *level_buf, uint8_t *run_buf,
author	Michael Niedermayer <michaelni@gmx.at>	2013-01-24 21:55:12 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2013-01-24 21:55:12 +0100
commit	cf48b006400e34e1177d0ca22d1cdb5c900a199a (patch)
tree	0a2ee20580d3548bbf40707ac5833fe9ab4d0f16 /libavcodec/cavsdec.c
parent	77b740ac0ac4d6f7a011594ae116d5c85384bc68 (diff)
download	ffmpeg-cf48b006400e34e1177d0ca22d1cdb5c900a199a.tar.gz