avcodec/ffv1dec: Fix integer overflow in read_quant_table()

Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 3361/clusterfuzz-testcase-minimized-5065842955911168 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit d00fc952b6c261dd8eb0f7552b9ccf985dbc2b20) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2017-09-18 17:26:09 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2017-09-24 02:41:18 +0200
commit: 5cf5a1034c0785ba5c1f83a6d1880d5eb6d35852 (patch)
tree: 1e1387fff365ceb4c9ab07e1847b19d677728c07 /libavcodec
parent: 6b66cd8c40df5e5837997dafc799056607ce4861 (diff)
download: ffmpeg-5cf5a1034c0785ba5c1f83a6d1880d5eb6d35852.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index a57ec5363c..b277c478cb 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -359,7 +359,7 @@ static int read_quant_table(RangeCoder *c, int16_t *quant_table, int scale)
     memset(state, 128, sizeof(state));
 
     for (v = 0; i < 128; v++) {
-        unsigned len = get_symbol(c, state, 0) + 1;
+        unsigned len = get_symbol(c, state, 0) + 1U;
 
         if (len > 128 - i || !len)
             return AVERROR_INVALIDDATA;
author	Michael Niedermayer <michael@niedermayer.cc>	2017-09-18 17:26:09 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2017-09-24 02:41:18 +0200
commit	5cf5a1034c0785ba5c1f83a6d1880d5eb6d35852 (patch)
tree	1e1387fff365ceb4c9ab07e1847b19d677728c07 /libavcodec
parent	6b66cd8c40df5e5837997dafc799056607ce4861 (diff)
download	ffmpeg-5cf5a1034c0785ba5c1f83a6d1880d5eb6d35852.tar.gz