diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2023-02-18 21:50:13 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2023-05-22 02:49:59 +0200 |
| commit | 43e5e2e42354fafc608830e3c8c46dacd22a851b (patch) | |
| tree | 31dc12f7ceb7edd2d1178f64394b89aff5565b6a | |
| parent | a76efafdb9be966ae3ad52b32370dc644dd582bf (diff) | |
| download | ffmpeg-43e5e2e42354fafc608830e3c8c46dacd22a851b.tar.gz | |
avcodec/bonk: Avoid undefined integer overflow in predictor_calc_error()
Fixes: signed integer overflow: -159584 * 5105950 cannot be represented in type 'int'
Fixes: 55165/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5796023719297024
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/bonk.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c index 9a91b4842e..fbea91c750 100644 --- a/libavcodec/bonk.c +++ b/libavcodec/bonk.c @@ -270,14 +270,14 @@ static inline int shift(int a, int b) static int predictor_calc_error(int *k, int *state, int order, int error) { - int i, x = error - shift_down(k[order-1] * state[order-1], LATTICE_SHIFT); + int i, x = error - shift_down(k[order-1] * (unsigned)state[order-1], LATTICE_SHIFT); int *k_ptr = &(k[order-2]), *state_ptr = &(state[order-2]); for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) { unsigned k_value = *k_ptr, state_value = *state_ptr; - x -= shift_down(k_value * state_value, LATTICE_SHIFT); + x -= shift_down(k_value * (unsigned)state_value, LATTICE_SHIFT); state_ptr[1] = state_value + shift_down(k_value * x, LATTICE_SHIFT); } |