avutil/avsscanf: Add () to avoid integer overflow in scanexp()

Fixes: signed integer overflow: 2147483610 + 52 cannot be represented in type 'int' Fixes: 23260/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PBM_fuzzer-5187871274434560 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 42b28565aa852b98d95d8d02f7b0781999f9d533) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-06-18 11:56:53 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-07-05 01:47:57 +0200
commit: 9fd30d0bdf5ccfebd7c0409fdf7d9d133d4642fb (patch)
tree: 6547f636d6c257db30c718a4123391065b51a806
parent: 6fe28832a9640d68ebc103cc689af5e2bffacbf4 (diff)
download: ffmpeg-9fd30d0bdf5ccfebd7c0409fdf7d9d133d4642fb.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/libavutil/avsscanf.c b/libavutil/avsscanf.c
index 1c85412fd4..850c117940 100644
--- a/libavutil/avsscanf.c
+++ b/libavutil/avsscanf.c
@@ -229,9 +229,9 @@ static long long scanexp(FFFILE *f, int pok)
         return LLONG_MIN;
     }
     for (x=0; c-'0'<10U && x<INT_MAX/10; c = shgetc(f))
-        x = 10*x + c-'0';
+        x = 10*x + (c-'0');
     for (y=x; c-'0'<10U && y<LLONG_MAX/100; c = shgetc(f))
-        y = 10*y + c-'0';
+        y = 10*y + (c-'0');
     for (; c-'0'<10U; c = shgetc(f));
     shunget(f);
     return neg ? -y : y;
author	Michael Niedermayer <michael@niedermayer.cc>	2020-06-18 11:56:53 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-07-05 01:47:57 +0200
commit	9fd30d0bdf5ccfebd7c0409fdf7d9d133d4642fb (patch)
tree	6547f636d6c257db30c718a4123391065b51a806
parent	6fe28832a9640d68ebc103cc689af5e2bffacbf4 (diff)
download	ffmpeg-9fd30d0bdf5ccfebd7c0409fdf7d9d133d4642fb.tar.gz