mss1: improve check if decoded pivot is invalid

The pivot has to lie between 0 and base.
Check of ==base is insufficient.
Thus replace it by a proper check.

Fixes out of array write.

Fixes bug #1531.

Found-by: Piotr Bandurski <ami_stuff@o2.pl>
Signed-off-by: Paul B Mahol <onemda@gmail.com>

libavcodec/mss1.c

@@ -575,7 +575,7 @@ static int decode_pivot(MSS1Context *ctx, ArithCoder *acoder, int base)
         val = arith_get_number(acoder, (base + 1) / 2 - 2) + 3;
     }
 
-    if (val == base) {
+    if ((unsigned)val >= base) {
         ctx->corrupted = 1;
         return 0;
     }