diff mbox

[FFmpeg-devel,4/4] avcodec/h264_cavlc: Fix integer overflows with motion vector residual addition

Message ID 20190627003533.22314-4-michael@niedermayer.cc
State Accepted
Commit b789ebf681eadd28cc137125b567d3e84bc05d55
Headers show

Commit Message

Michael Niedermayer June 27, 2019, 12:35 a.m. UTC 
Fixes: signed integer overflow: 14 + 2147483647 cannot be represented in type 'int'
Fixes: 14794/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5677380695228416

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/h264_cavlc.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

Comments

Michael Niedermayer July 19, 2019, 11:15 a.m. UTC | #1 
On Thu, Jun 27, 2019 at 02:35:33AM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 14 + 2147483647 cannot be represented in type 'int'
> Fixes: 14794/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_H264_fuzzer-5677380695228416
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/h264_cavlc.c | 16 ++++++++--------
>  1 file changed, 8 insertions(+), 8 deletions(-)

will apply

[...]
diff mbox

Patch

diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index d82144e3c3..6481992e58 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -923,8 +923,8 @@  decode_intra_mb:
                         const int index= 4*i + block_width*j;
                         int16_t (* mv_cache)[2]= &sl->mv_cache[list][ scan8[index] ];
                         pred_motion(h, sl, index, block_width, list, sl->ref_cache[list][ scan8[index] ], &mx, &my);
-                        mx += get_se_golomb(&sl->gb);
-                        my += get_se_golomb(&sl->gb);
+                        mx += (unsigned)get_se_golomb(&sl->gb);
+                        my += (unsigned)get_se_golomb(&sl->gb);
                         ff_tlog(h->avctx, "final mv:%d %d\n", mx, my);
 
                         if(IS_SUB_8X8(sub_mb_type)){
@@ -977,8 +977,8 @@  decode_intra_mb:
             for (list = 0; list < sl->list_count; list++) {
                 if(IS_DIR(mb_type, 0, list)){
                     pred_motion(h, sl, 0, 4, list, sl->ref_cache[list][ scan8[0] ], &mx, &my);
-                    mx += get_se_golomb(&sl->gb);
-                    my += get_se_golomb(&sl->gb);
+                    mx += (unsigned)get_se_golomb(&sl->gb);
+                    my += (unsigned)get_se_golomb(&sl->gb);
                     ff_tlog(h->avctx, "final mv:%d %d\n", mx, my);
 
                     fill_rectangle(sl->mv_cache[list][ scan8[0] ], 4, 4, 8, pack16to32(mx,my), 4);
@@ -1012,8 +1012,8 @@  decode_intra_mb:
                     unsigned int val;
                     if(IS_DIR(mb_type, i, list)){
                         pred_16x8_motion(h, sl, 8*i, list, sl->ref_cache[list][scan8[0] + 16*i], &mx, &my);
-                        mx += get_se_golomb(&sl->gb);
-                        my += get_se_golomb(&sl->gb);
+                        mx += (unsigned)get_se_golomb(&sl->gb);
+                        my += (unsigned)get_se_golomb(&sl->gb);
                         ff_tlog(h->avctx, "final mv:%d %d\n", mx, my);
 
                         val= pack16to32(mx,my);
@@ -1050,8 +1050,8 @@  decode_intra_mb:
                     unsigned int val;
                     if(IS_DIR(mb_type, i, list)){
                         pred_8x16_motion(h, sl, i*4, list, sl->ref_cache[list][ scan8[0] + 2*i ], &mx, &my);
-                        mx += get_se_golomb(&sl->gb);
-                        my += get_se_golomb(&sl->gb);
+                        mx += (unsigned)get_se_golomb(&sl->gb);
+                        my += (unsigned)get_se_golomb(&sl->gb);
                         ff_tlog(h->avctx, "final mv:%d %d\n", mx, my);
 
                         val= pack16to32(mx,my);