aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2019-06-18 14:28:17 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2019-11-14 23:30:37 +0100
commit00d5a4703925c4b3c8a3c5df73f984e6c4b9d3f4 (patch)
treef94f3c05c1cc1abcd7a8c35019d0ceb62cf1875c
parented92170916cab316ae22e06cde6a47d0f8bf4d0a (diff)
downloadffmpeg-00d5a4703925c4b3c8a3c5df73f984e6c4b9d3f4.tar.gz
avcodec/binkdsp: Fix integer overflows in idct
Fixes: signed integer overflow: 3784 * 682038 cannot be represented in type 'int' Fixes: 15265/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5088311799971840 Fixes: 15268/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5666502344179712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Reviewed-by: Peter Ross <pross@xvid.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 7a072fbcc4c6f8ddbf37b131c2d141589118abcd) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/binkdsp.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/libavcodec/binkdsp.c b/libavcodec/binkdsp.c
index 9d70e2326f..a357d31672 100644
--- a/libavcodec/binkdsp.c
+++ b/libavcodec/binkdsp.c
@@ -33,20 +33,22 @@
#define A3 3784
#define A4 -5352
+#define MUL(X,Y) ((int)((unsigned)(X) * (Y)) >> 11)
+
#define IDCT_TRANSFORM(dest,s0,s1,s2,s3,s4,s5,s6,s7,d0,d1,d2,d3,d4,d5,d6,d7,munge,src) {\
const int a0 = (src)[s0] + (src)[s4]; \
const int a1 = (src)[s0] - (src)[s4]; \
const int a2 = (src)[s2] + (src)[s6]; \
- const int a3 = (A1*((src)[s2] - (src)[s6])) >> 11; \
+ const int a3 = MUL(A1, (src)[s2] - (src)[s6]); \
const int a4 = (src)[s5] + (src)[s3]; \
const int a5 = (src)[s5] - (src)[s3]; \
const int a6 = (src)[s1] + (src)[s7]; \
const int a7 = (src)[s1] - (src)[s7]; \
const int b0 = a4 + a6; \
- const int b1 = (A3*(a5 + a7)) >> 11; \
- const int b2 = ((A4*a5) >> 11) - b0 + b1; \
- const int b3 = (A1*(a6 - a4) >> 11) - b2; \
- const int b4 = ((A2*a7) >> 11) + b3 - b1; \
+ const int b1 = MUL(A3, a5 + a7); \
+ const int b2 = MUL(A4, a5) - b0 + b1; \
+ const int b3 = MUL(A1, a6 - a4) - b2; \
+ const int b4 = MUL(A2, a7) + b3 - b1; \
(dest)[d0] = munge(a0+a2 +b0); \
(dest)[d1] = munge(a1+a3-a2+b2); \
(dest)[d2] = munge(a1-a3+a2+b3); \