aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2018-04-22 21:46:05 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2018-07-16 19:06:26 +0200
commit986747c9e25db3ac45bb4d8f6c73044080768b56 (patch)
treec3aab44ea344a846d4578117a8af64b7790ac959
parent69f861be42ecb07e1deac86757760ec36a8e7bef (diff)
downloadffmpeg-986747c9e25db3ac45bb4d8f6c73044080768b56.tar.gz
avcodec/error_resilience: Fix integer overflow in filter181()
Fixes: runtime error: signed integer overflow: 197710 * 10923 cannot be represented in type 'int' Fixes: 7010/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5667127596941312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 1c97035e3b1677d6f0c5b6161ebfeffcf7bb638d) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat
-rw-r--r--libavcodec/error_resilience.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c
index 5364940e94..d7f94c10c2 100644
--- a/libavcodec/error_resilience.c
+++ b/libavcodec/error_resilience.c
@@ -108,7 +108,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride)
dc = -prev_dc +
data[x + y * stride] * 8 -
data[x + 1 + y * stride];
- dc = (dc * 10923 + 32768) >> 16;
+ dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16;
prev_dc = data[x + y * stride];
data[x + y * stride] = dc;
}
@@ -124,7 +124,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride)
dc = -prev_dc +
data[x + y * stride] * 8 -
data[x + (y + 1) * stride];
- dc = (dc * 10923 + 32768) >> 16;
+ dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16;
prev_dc = data[x + y * stride];
data[x + y * stride] = dc;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-31 09:41:29 +0000