From 345a244ed48c6450d7acdc4844bf46224c2af3c7 Mon Sep 17 00:00:00 2001
From: David Wendt <dcrkid@yahoo.com>
Date: Thu, 25 Jun 2020 23:54:42 -0400
Subject: [PATCH] `read_i32` no longer panics if more than 28 bits are defined
 within the read-in integer constant.

The underlying problem is actually shift overflow - on the fifth byte in the sequence, it attempts to mask bits by shifting them off the left of the value, which doesn't work here, as we'll be shifting by -3. For those unaware, shifting by a negative does NOT shift in the opposite direction, it instead gives your C compiler permission to stuff demons up your nose.

I wouldn't be surprised if this is just outright UB in Flash Player.
---
 swf/src/avm2/read.rs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/swf/src/avm2/read.rs b/swf/src/avm2/read.rs
index f38fa75a4..ec9e4ff61 100644
--- a/swf/src/avm2/read.rs
+++ b/swf/src/avm2/read.rs
@@ -112,9 +112,13 @@ impl<R: Read> Reader<R> {
             let byte: i32 = self.read_u8()?.into();
             n |= (byte & 0b0111_1111) << i;
             i += 7;
+
             if byte & 0b1000_0000 == 0 {
-                n <<= 32 - i;
-                n >>= 32 - i;
+                if i < 32 {
+                    n <<= 32 - i;
+                    n >>= 32 - i;
+                }
+
                 break;
             }
         }