aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2017-09-08 23:29:12 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2017-09-11 12:28:23 +0200
commit2d025e742843ca3532bd49ebbfebeacd51337347 (patch)
tree8e653b02c0fe9b6769c7b3f26cbbb63f819acc32
parentf0efd795f460aa64d06bb542c6eadd113c2585c2 (diff)
downloadffmpeg-2d025e742843ca3532bd49ebbfebeacd51337347.tar.gz
avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()
Fixes: runtime error: signed integer overflow: 22553 * -188962 cannot be represented in type 'int' Fixes: 3042/clusterfuzz-testcase-minimized-5174210131394560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/jpeg2000dsp.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c
index c746aed924..85a12d0e9b 100644
--- a/libavcodec/jpeg2000dsp.c
+++ b/libavcodec/jpeg2000dsp.c
@@ -65,9 +65,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize)
for (i = 0; i < csize; i++) {
i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16);
- i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16)
+ i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16)
- (((i_ict_params[2] * *src2) + (1 << 15)) >> 16);
- i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16);
+ i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16);
*src0++ = i0;
*src1++ = i1;
*src2++ = i2;