aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2017-09-22 20:45:27 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2017-09-25 11:10:29 +0200
commit04be199f8ea06202200935bbacec5ebcc832a255 (patch)
tree9b12ad128fe69e3d98f63dc0cf426ad69367eeab
parent9e8a636551b24330f0af5514fb97b8e8c1034e06 (diff)
downloadffmpeg-04be199f8ea06202200935bbacec5ebcc832a255.tar.gz
avcodec/takdec: Fix integer overflow in decode_lpc()
Fixes: runtime error: signed integer overflow: 16748560 + 2143729712 cannot be represented in type 'int' Fixes: 3202/clusterfuzz-testcase-minimized-4988291642294272 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5d31f03a0264cac24434c8108daef4ccba6d28f9) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/takdec.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c
index c74b1d2c10..ba0ce994e7 100644
--- a/libavcodec/takdec.c
+++ b/libavcodec/takdec.c
@@ -206,7 +206,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length)
int a1 = *coeffs++;
for (i = 0; i < length - 1 >> 1; i++) {
*coeffs += a1;
- coeffs[1] += *coeffs;
+ coeffs[1] += (unsigned)*coeffs;
a1 = coeffs[1];
coeffs += 2;
}