aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2017-09-22 20:45:26 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2017-09-24 21:54:13 +0200
commit3dabb9c69db114b1f30c30e0a2788cffc50bac40 (patch)
tree371d3009bf8d5795b12f1a235a060ca44424170f
parent3d2da6d585509daddcd65f206b1a262c9c78cbce (diff)
downloadffmpeg-3dabb9c69db114b1f30c30e0a2788cffc50bac40.tar.gz
avcodec/takdec: Fix integer overflows in decode_subframe()
Fixes: runtime error: signed integer overflow: -1562477869 + -691460395 cannot be represented in type 'int' Fixes: 3196/clusterfuzz-testcase-minimized-4528307146063872 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/takdec.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c
index 1676313b7c..9c253c1e8e 100644
--- a/libavcodec/takdec.c
+++ b/libavcodec/takdec.c
@@ -486,10 +486,10 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded,
v += (unsigned)s->adsp.scalarproduct_int16(&s->residues[i], s->filter,
filter_order & -16);
for (j = filter_order & -16; j < filter_order; j += 4) {
- v += s->residues[i + j + 3] * s->filter[j + 3] +
- s->residues[i + j + 2] * s->filter[j + 2] +
- s->residues[i + j + 1] * s->filter[j + 1] +
- s->residues[i + j ] * s->filter[j ];
+ v += s->residues[i + j + 3] * (unsigned)s->filter[j + 3] +
+ s->residues[i + j + 2] * (unsigned)s->filter[j + 2] +
+ s->residues[i + j + 1] * (unsigned)s->filter[j + 1] +
+ s->residues[i + j ] * (unsigned)s->filter[j ];
}
v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - (unsigned)*decoded;
*decoded++ = v;