aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2017-07-09 15:19:18 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2017-07-19 03:47:46 +0200
commit080d6de9dfc12107e3f2feb15925b6b3710d2ee6 (patch)
treea45e58997a6baa7d03d1f950d65218c6b8292c0a
parent82ba7646c2496a1d011ae6c3acfcd7825cffbf49 (diff)
downloadffmpeg-080d6de9dfc12107e3f2feb15925b6b3710d2ee6.tar.gz
avcodec/aacps (fixed point): Fix multiple signed integer overflows
Fixes: runtime error: signed integer overflow: 1421978265 - -1810326882 cannot be represented in type 'int' Fixes: 2527/clusterfuzz-testcase-minimized-5260915396050944 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 80b9e40b6f1e15db9f36c195e7375e65f6b4924f) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/aacps.c25
1 files changed, 8 insertions, 17 deletions
diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c
index 01f6d1f076..8b2cb9f02c 100644
--- a/libavcodec/aacps.c
+++ b/libavcodec/aacps.c
@@ -692,26 +692,17 @@ static void decorrelation(PSContext *ps, INTFLOAT (*out)[32][2], const INTFLOAT
for (i = 0; i < NR_PAR_BANDS[is34]; i++) {
for (n = n0; n < nL; n++) {
int decayed_peak;
- int denom;
-
decayed_peak = (int)(((int64_t)peak_decay_factor * \
peak_decay_nrg[i] + 0x40000000) >> 31);
peak_decay_nrg[i] = FFMAX(decayed_peak, power[i][n]);
- power_smooth[i] += (power[i][n] - power_smooth[i] + 2) >> 2;
- peak_decay_diff_smooth[i] += (peak_decay_nrg[i] - power[i][n] - \
- peak_decay_diff_smooth[i] + 2) >> 2;
- denom = peak_decay_diff_smooth[i] + (peak_decay_diff_smooth[i] >> 1);
- if (denom > power_smooth[i]) {
- int p = power_smooth[i];
- while (denom < 0x40000000) {
- denom <<= 1;
- p <<= 1;
- }
- transient_gain[i][n] = p / (denom >> 16);
- }
- else {
- transient_gain[i][n] = 1 << 16;
- }
+ power_smooth[i] += (power[i][n] + 2LL - power_smooth[i]) >> 2;
+ peak_decay_diff_smooth[i] += (peak_decay_nrg[i] + 2LL - power[i][n] - \
+ peak_decay_diff_smooth[i]) >> 2;
+
+ if (peak_decay_diff_smooth[i]) {
+ transient_gain[i][n] = FFMIN(power_smooth[i]*43691LL / peak_decay_diff_smooth[i], 1<<16);
+ } else
+ transient_gain[i][n] = 1 << 16;
}
}
#else