X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fshorten.c;h=b785284aa2d9a4856dee9e96884835aa09cfb0dd;hb=8aa60606fb64b8280627935b0df55d4d2aeca5d1;hp=90569bdb1feeebbeddaa3f2a30517efb3a92a9ce;hpb=540b8760e84cda1ecab807c808e61a4cfaa1783c;p=ffmpeg

diff --git a/libavcodec/shorten.c b/libavcodec/shorten.c
index 90569bdb1fe..b785284aa2d 100644
--- a/libavcodec/shorten.c
+++ b/libavcodec/shorten.c
@@ -160,8 +160,11 @@ static int allocate_buffers(ShortenContext *s)
 
 static inline unsigned int get_uint(ShortenContext *s, int k)
 {
-    if (s->version != 0)
+    if (s->version != 0) {
         k = get_ur_golomb_shorten(&s->gb, ULONGSIZE);
+        if (k > 31U)
+            return AVERROR_INVALIDDATA;
+    }
     return get_ur_golomb_shorten(&s->gb, k);
 }
 
@@ -658,6 +661,10 @@ static int shorten_decode_frame(AVCodecContext *avctx, void *data,
                  * of get_sr_golomb_shorten(). */
                 if (s->version == 0)
                     residual_size--;
+                if (residual_size > 30U) {
+                    av_log(avctx, AV_LOG_ERROR, "residual size unsupportd: %d\n", residual_size);
+                    return AVERROR_INVALIDDATA;
+                }
             }
 
             /* calculate sample offset using means from previous blocks */