aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2019-11-05 22:27:04 +0100
committerMichael Niedermayer <michael@niedermayer.cc>2020-07-01 12:49:26 +0200
commit9accc4a832c153f3553886e1d0569d5eba62de3b (patch)
tree99058905a3b8c456d326aa32f0b2ab6cc1a4a0fb
parentbc8dcbedcadde2d797bd247ab1954f885b0dbad5 (diff)
downloadffmpeg-9accc4a832c153f3553886e1d0569d5eba62de3b.tar.gz
avcodec/ralf: Fix integer overflows with the filter coefficient in decode_channel()
Fixes: signed integer overflow: 1145975808 - -1146173210 cannot be represented in type 'int' Fixes: 18616/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5121296757424128 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 721624c2f67545989626ba4413f7b8dbd7dff678) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/ralf.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c
index ca8817aa21..d8f1803086 100644
--- a/libavcodec/ralf.c
+++ b/libavcodec/ralf.c
@@ -264,8 +264,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch,
t = get_vlc2(gb, vlc[cmode].table, vlc[cmode].bits, 2);
t = extend_code(gb, t, 21, add_bits);
if (!cmode)
- coeff -= 12 << add_bits;
- coeff = t - coeff;
+ coeff -= 12U << add_bits;
+ coeff = (unsigned)t - coeff;
ctx->filter[i] = coeff;
cmode = coeff >> add_bits;