CVE-2019-14443

commit 8937230719ad7039ff908793f3bb2111e26e4edc
Author: Michael Niedermayer <michaelni@gmx.at>
Date:   Thu May 2 16:45:06 2013 +0200

    ape_decode_value_3900: check tmpk

    Fixes division by 0

    Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Gbp-Pq: Name CVE-2019-14443.patch

diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index 131c6f32d744f8a16628181186217848d4f48ceb..1f91e67b91ab2e0ab9b1023262c2a87dc12830e7 100644 (file)
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -541,9 +541,13 @@ static inline int ape_decode_value_3900(APEContext *ctx, APERice *rice)
     } else
         tmpk = (rice->k < 1) ? 0 : rice->k - 1;
 
-    if (tmpk <= 16 || ctx->fileversion < 3910)
+    if (tmpk <= 16 || ctx->fileversion < 3910) {
+        if (tmpk > 23) {
+            av_log(ctx->avctx, AV_LOG_ERROR, "Too many bits: %d\n", tmpk);
+            return AVERROR_INVALIDDATA;
+        }
         x = range_decode_bits(ctx, tmpk);
-    else if (tmpk <= 32) {
+    } else if (tmpk <= 32) {
         x = range_decode_bits(ctx, 16);
         x |= (range_decode_bits(ctx, tmpk - 16) << 16);
     } else {