diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2017-09-08 23:29:12 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-09-11 12:28:23 +0200 |
commit | 2d025e742843ca3532bd49ebbfebeacd51337347 (patch) | |
tree | 8e653b02c0fe9b6769c7b3f26cbbb63f819acc32 /libavcodec | |
parent | f0efd795f460aa64d06bb542c6eadd113c2585c2 (diff) | |
download | ffmpeg-2d025e742843ca3532bd49ebbfebeacd51337347.tar.gz |
avcodec/jpeg2000dsp: Fix multiple integer overflows in ict_int()
Fixes: runtime error: signed integer overflow: 22553 * -188962 cannot be represented in type 'int'
Fixes: 3042/clusterfuzz-testcase-minimized-5174210131394560
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/jpeg2000dsp.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c index c746aed924..85a12d0e9b 100644 --- a/libavcodec/jpeg2000dsp.c +++ b/libavcodec/jpeg2000dsp.c @@ -65,9 +65,9 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize) for (i = 0; i < csize; i++) { i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16); - i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16) + i1 = *src0 - ((int)(((unsigned)i_ict_params[1] * *src1) + (1 << 15)) >> 16) - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16); - i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16); + i2 = *src0 + (2 * *src1) + ((int)((-14942U * *src1) + (1 << 15)) >> 16); *src0++ = i0; *src1++ = i1; *src2++ = i2; |