| Message ID | 20190905230306.15330-1-michael@niedermayer.cc |
|---|---|
| State | New |
| Headers | show |
Michael Niedermayer (12019-09-06): > Fixes: signed integer overflow: 9223371075321077760 * 2 cannot be represented in type 'long' > Fixes: 16447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5698937431785472 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/ffwavesynth.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c > index cfd0951d8f..8079e34539 100644 > --- a/libavcodec/ffwavesynth.c > +++ b/libavcodec/ffwavesynth.c > @@ -220,7 +220,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) > int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); > int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); > int pos = ts & (PINK_UNIT - 1); > - lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) * 2); > + lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) * 2ULL); Casting (pink_ts_next - pink_ts_cur) to uint32_t seems like a better idea. > if (pos) { > pink_fill(ws); > ws->pink_pos = pos; Regards,
On Sat, Sep 21, 2019 at 03:47:00PM +0200, Nicolas George wrote: > Michael Niedermayer (12019-09-06): > > Fixes: signed integer overflow: 9223371075321077760 * 2 cannot be represented in type 'long' > > Fixes: 16447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5698937431785472 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/ffwavesynth.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c > > index cfd0951d8f..8079e34539 100644 > > --- a/libavcodec/ffwavesynth.c > > +++ b/libavcodec/ffwavesynth.c > > @@ -220,7 +220,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) > > int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); > > int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); > > int pos = ts & (PINK_UNIT - 1); > > - lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) * 2); > > > + lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) * 2ULL); > > Casting (pink_ts_next - pink_ts_cur) to uint32_t seems like a better > idea. will apply this suggested alternative thanks [...]
diff --git a/libavcodec/ffwavesynth.c b/libavcodec/ffwavesynth.c index cfd0951d8f..8079e34539 100644 --- a/libavcodec/ffwavesynth.c +++ b/libavcodec/ffwavesynth.c @@ -220,7 +220,7 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts) int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); int pos = ts & (PINK_UNIT - 1); - lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) * 2); + lcg_seek(&ws->pink_state, (pink_ts_next - pink_ts_cur) * 2ULL); if (pos) { pink_fill(ws); ws->pink_pos = pos;
Fixes: signed integer overflow: 9223371075321077760 * 2 cannot be represented in type 'long' Fixes: 16447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5698937431785472 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/ffwavesynth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)