diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2018-04-22 21:46:05 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2018-06-18 01:16:04 +0200 |
commit | 30ec2357c98a1eb0c18e1990af04266cf77fac19 (patch) | |
tree | a73f6e93f4d6dfc7c24223275153e5037606573a | |
parent | 3b23dd4b91afa378344cc3f4cdc7dea2b88a9fe7 (diff) | |
download | ffmpeg-30ec2357c98a1eb0c18e1990af04266cf77fac19.tar.gz |
avcodec/error_resilience: Fix integer overflow in filter181()
Fixes: runtime error: signed integer overflow: 197710 * 10923 cannot be represented in type 'int'
Fixes: 7010/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5667127596941312
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1c97035e3b1677d6f0c5b6161ebfeffcf7bb638d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/error_resilience.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c index 5364940e94..d7f94c10c2 100644 --- a/libavcodec/error_resilience.c +++ b/libavcodec/error_resilience.c @@ -108,7 +108,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride) dc = -prev_dc + data[x + y * stride] * 8 - data[x + 1 + y * stride]; - dc = (dc * 10923 + 32768) >> 16; + dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; prev_dc = data[x + y * stride]; data[x + y * stride] = dc; } @@ -124,7 +124,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride) dc = -prev_dc + data[x + y * stride] * 8 - data[x + (y + 1) * stride]; - dc = (dc * 10923 + 32768) >> 16; + dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; prev_dc = data[x + y * stride]; data[x + y * stride] = dc; } |