apedec: check bits <= 32

Fixes FPE Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2012-03-28 10:22:39 +0400
committer: Michael Niedermayer <michaelni@gmx.at> 2012-03-28 10:24:31 +0400
commit: 7a5e5872493ac91af65357680cf03456d0a4f1ff (patch)
tree: 09f307f22832ae88d37cf7861ee4b0203ff9a76f /libavcodec/apedec.c
parent: 936951ca5c46afe91d4efb6ce7e2759424bbe143 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index 4a69571ba4..907f45faff 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -421,9 +421,12 @@ static inline int ape_decode_value(APEContext *ctx, APERice *rice)
 
         if (tmpk <= 16)
             x = range_decode_bits(ctx, tmpk);
-        else {
+        else if (tmpk <= 32) {
             x = range_decode_bits(ctx, 16);
             x |= (range_decode_bits(ctx, tmpk - 16) << 16);
+        } else {
+            av_log(ctx->avctx, AV_LOG_ERROR, "too many bits\n");
+            return -1;
         }
         x += overflow << tmpk;
     } else {
author	Michael Niedermayer <michaelni@gmx.at>	2012-03-28 10:22:39 +0400
committer	Michael Niedermayer <michaelni@gmx.at>	2012-03-28 10:24:31 +0400
commit	7a5e5872493ac91af65357680cf03456d0a4f1ff (patch)
tree	09f307f22832ae88d37cf7861ee4b0203ff9a76f /libavcodec/apedec.c
parent	936951ca5c46afe91d4efb6ce7e2759424bbe143 (diff)