avcodec/mpeg4videodec: Fix 2 integer overflows in get_amv()

Fixes: signed integer overflow: -144876608 * 16 cannot be represented in type 'int' Fixes: 22782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-6039584977977344 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit e361785ee05cc75d3caacf2f254160b0336f5358) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2020-06-11 22:22:57 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2020-07-01 12:49:26 +0200
commit: ef970a79b714acc391e77a9fed4436b6668e0200 (patch)
tree: eeae5803cee44496d8879b1a9b4bfcda8b3bcbef
parent: 17847fd5c73f4b0f53c5cf4e2e4ab95269e9ae73 (diff)
download: ffmpeg-ef970a79b714acc391e77a9fed4436b6668e0200.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index caad104934..d39aa8d218 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -551,7 +551,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n)
             dy -= 1 << (shift + a + 1);
         else
             dx -= 1 << (shift + a + 1);
-        mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16 + dy * s->mb_y * 16;
+        mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16U + dy * s->mb_y * 16U;
 
         sum = 0;
         for (y = 0; y < 16; y++) {
author	Michael Niedermayer <michael@niedermayer.cc>	2020-06-11 22:22:57 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2020-07-01 12:49:26 +0200
commit	ef970a79b714acc391e77a9fed4436b6668e0200 (patch)
tree	eeae5803cee44496d8879b1a9b4bfcda8b3bcbef
parent	17847fd5c73f4b0f53c5cf4e2e4ab95269e9ae73 (diff)
download	ffmpeg-ef970a79b714acc391e77a9fed4436b6668e0200.tar.gz