diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2022-09-11 00:11:20 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2022-09-16 21:30:58 +0200 |
| commit | 3993345f915bccceee315f44d412445346990e14 (patch) | |
| tree | 763dfa24de06e6da2e9c62351a19d89608af3909 /libavcodec | |
| parent | 677e27a9afa7305a918336699b377fd5b42cc299 (diff) | |
| download | ffmpeg-3993345f915bccceee315f44d412445346990e14.tar.gz | |
avcodec/tta: Check 24bit scaling for overflow
Fixes: signed integer overflow: -8427924 * 256 cannot be represented in type 'int'
Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5409428670644224
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/tta.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/libavcodec/tta.c b/libavcodec/tta.c index 6fb8d7a74f..d66e25af05 100644 --- a/libavcodec/tta.c +++ b/libavcodec/tta.c @@ -377,8 +377,15 @@ static int tta_decode_frame(AVCodecContext *avctx, AVFrame *frame, case 3: { // shift samples for 24-bit sample format int32_t *samples = (int32_t *)frame->data[0]; - for (i = 0; i < framelen * s->channels; i++) - *samples++ *= 256; + int overflow = 0; + + for (i = 0; i < framelen * s->channels; i++) { + int scaled = *samples * 256U; + overflow += (scaled >> 8 != *samples); + *samples++ = scaled; + } + if (overflow) + av_log(avctx, AV_LOG_WARNING, "%d overflows occurred on 24bit upscale\n", overflow); // reset decode buffer s->decode_buffer = NULL; break; |