aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2018-04-22 21:46:05 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2018-06-18 01:16:04 +0200
commit30ec2357c98a1eb0c18e1990af04266cf77fac19 (patch)
treea73f6e93f4d6dfc7c24223275153e5037606573a
parent3b23dd4b91afa378344cc3f4cdc7dea2b88a9fe7 (diff)
downloadffmpeg-30ec2357c98a1eb0c18e1990af04266cf77fac19.tar.gz
avcodec/error_resilience: Fix integer overflow in filter181()
Fixes: runtime error: signed integer overflow: 197710 * 10923 cannot be represented in type 'int' Fixes: 7010/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5667127596941312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 1c97035e3b1677d6f0c5b6161ebfeffcf7bb638d) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/error_resilience.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c
index 5364940e94..d7f94c10c2 100644
--- a/libavcodec/error_resilience.c
+++ b/libavcodec/error_resilience.c
@@ -108,7 +108,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride)
dc = -prev_dc +
data[x + y * stride] * 8 -
data[x + 1 + y * stride];
- dc = (dc * 10923 + 32768) >> 16;
+ dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16;
prev_dc = data[x + y * stride];
data[x + y * stride] = dc;
}
@@ -124,7 +124,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride)
dc = -prev_dc +
data[x + y * stride] * 8 -
data[x + (y + 1) * stride];
- dc = (dc * 10923 + 32768) >> 16;
+ dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16;
prev_dc = data[x + y * stride];
data[x + y * stride] = dc;
}