avcodec/ffv1dec: Fix integer overflow in read_quant_table()

Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 3361/clusterfuzz-testcase-minimized-5065842955911168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit d00fc952b6c261dd8eb0f7552b9ccf985dbc2b20) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2017-09-18 17:26:09 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2018-01-31 22:56:14 +0100
commit: 104d36647cc21fc969a9cb8766c06c30c0e826c9 (patch)
tree: 413b784969d7bfa6bbd4d38d0513e0222b825c5c
parent: a2d129a841f5f2393196f80df3781ac28607738b (diff)
download: ffmpeg-104d36647cc21fc969a9cb8766c06c30c0e826c9.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 52a56869cb..ba4c8c1a55 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -479,7 +479,7 @@ static int read_quant_table(RangeCoder *c, int16_t *quant_table, int scale)
     memset(state, 128, sizeof(state));
 
     for (v = 0; i < 128; v++) {
-        unsigned len = get_symbol(c, state, 0) + 1;
+        unsigned len = get_symbol(c, state, 0) + 1U;
 
         if (len > 128 - i || !len)
             return AVERROR_INVALIDDATA;
author	Michael Niedermayer <michael@niedermayer.cc>	2017-09-18 17:26:09 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2018-01-31 22:56:14 +0100
commit	104d36647cc21fc969a9cb8766c06c30c0e826c9 (patch)
tree	413b784969d7bfa6bbd4d38d0513e0222b825c5c
parent	a2d129a841f5f2393196f80df3781ac28607738b (diff)
download	ffmpeg-104d36647cc21fc969a9cb8766c06c30c0e826c9.tar.gz