avcodec/ffv1dec: Fix integer overflow in read_quant_table()

Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 3361/clusterfuzz-testcase-minimized-5065842955911168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit d00fc952b6c261dd8eb0f7552b9ccf985dbc2b20) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2017-09-18 17:26:09 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2017-09-24 02:41:22 +0200
commit: 2ccc30217ace340b3cbbda2b771aa1e05110de30 (patch)
tree: 154c8c97fb5a3e960c9508ae2993456d3157d43a
parent: eb505747a7aa1deaccc34416e6f4d398de54cb53 (diff)
download: ffmpeg-2ccc30217ace340b3cbbda2b771aa1e05110de30.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 2456d6c0d1..7e9130aa3b 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -480,7 +480,7 @@ static int read_quant_table(RangeCoder *c, int16_t *quant_table, int scale)
     memset(state, 128, sizeof(state));
 
     for (v = 0; i < 128; v++) {
-        unsigned len = get_symbol(c, state, 0) + 1;
+        unsigned len = get_symbol(c, state, 0) + 1U;
 
         if (len > 128 - i)
             return AVERROR_INVALIDDATA;
author	Michael Niedermayer <michael@niedermayer.cc>	2017-09-18 17:26:09 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2017-09-24 02:41:22 +0200
commit	2ccc30217ace340b3cbbda2b771aa1e05110de30 (patch)
tree	154c8c97fb5a3e960c9508ae2993456d3157d43a
parent	eb505747a7aa1deaccc34416e6f4d398de54cb53 (diff)
download	ffmpeg-2ccc30217ace340b3cbbda2b771aa1e05110de30.tar.gz