diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2017-09-22 20:45:26 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-09-24 21:54:13 +0200 |
commit | 3dabb9c69db114b1f30c30e0a2788cffc50bac40 (patch) | |
tree | 371d3009bf8d5795b12f1a235a060ca44424170f | |
parent | 3d2da6d585509daddcd65f206b1a262c9c78cbce (diff) | |
download | ffmpeg-3dabb9c69db114b1f30c30e0a2788cffc50bac40.tar.gz |
avcodec/takdec: Fix integer overflows in decode_subframe()
Fixes: runtime error: signed integer overflow: -1562477869 + -691460395 cannot be represented in type 'int'
Fixes: 3196/clusterfuzz-testcase-minimized-4528307146063872
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/takdec.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 1676313b7c..9c253c1e8e 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -486,10 +486,10 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded, v += (unsigned)s->adsp.scalarproduct_int16(&s->residues[i], s->filter, filter_order & -16); for (j = filter_order & -16; j < filter_order; j += 4) { - v += s->residues[i + j + 3] * s->filter[j + 3] + - s->residues[i + j + 2] * s->filter[j + 2] + - s->residues[i + j + 1] * s->filter[j + 1] + - s->residues[i + j ] * s->filter[j ]; + v += s->residues[i + j + 3] * (unsigned)s->filter[j + 3] + + s->residues[i + j + 2] * (unsigned)s->filter[j + 2] + + s->residues[i + j + 1] * (unsigned)s->filter[j + 1] + + s->residues[i + j ] * (unsigned)s->filter[j ]; } v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - (unsigned)*decoded; *decoded++ = v; |