From 13751f5a6b2d9de491ef89d6936384e80eafbac3 Mon Sep 17 00:00:00 2001
From: Ryan Francesconi <2917795+ryanfrancesconi@users.noreply.github.com>
Date: Thu, 9 Apr 2026 13:03:36 -0700
Subject: [PATCH] Fix/shorten rice golomb k bounds (#1335)

* Shorten: Reject out-of-range k in getRiceGolombCode

k values outside [0, 31] cause undefined behavior: a left shift by 32
on int32_t (UB in C++) when bitsAvailable reaches 32 after a buffer
refill. Guard against this at the top of getRiceGolombCode and return
false (invalid file) for any k outside the valid range.

* Shorten: Reject out-of-range k in getRiceGolombCode

k values outside [0, 31] cause undefined behavior: a left shift by 32
on int32_t (UB in C++) when bitsAvailable reaches 32 after a buffer
refill. Guard against this at the top of getRiceGolombCode and return
false (invalid file) for any k outside the valid range.
---
 taglib/shorten/shortenfile.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/taglib/shorten/shortenfile.cpp b/taglib/shorten/shortenfile.cpp
index c1e44c10..a77d5cb8 100644
--- a/taglib/shorten/shortenfile.cpp
+++ b/taglib/shorten/shortenfile.cpp
@@ -104,6 +104,11 @@ namespace {
 
   bool VariableLengthInput::getRiceGolombCode(int32_t &i32, int32_t k)
   {
+    // k must be in [0, 31]: values outside this range would cause shift-by-32
+    // (UB for int32_t) or negative shifts, and are invalid for this format.
+    if(k < 0 || k > 31)
+      return false;
+
     static constexpr uint32_t sMaskTable[] = {
       0x0,
       0x1,        0x3,        0x7,        0xf,