[FFmpeg-devel,4/5] avcodec/ralf: Fix integer overflows with the filter coefficient in decode_channel()

Submitted by Michael Niedermayer on Nov. 5, 2019, 11:22 p.m.

Details

Message ID 20191105232224.13680-4-michael@niedermayer.cc
State New
Headers show

Commit Message

Michael Niedermayer Nov. 5, 2019, 11:22 p.m.
Fixes: signed integer overflow: 1145975808 - -1146173210 cannot be represented in type 'int'
Fixes: 18616/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5121296757424128

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/ralf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c
index 1d881cf7ae..90220279a3 100644
--- a/libavcodec/ralf.c
+++ b/libavcodec/ralf.c
@@ -264,8 +264,8 @@  static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch,
             t = get_vlc2(gb, vlc[cmode].table, vlc[cmode].bits, 2);
             t = extend_code(gb, t, 21, add_bits);
             if (!cmode)
-                coeff -= 12 << add_bits;
-            coeff = t - coeff;
+                coeff -= 12U << add_bits;
+            coeff = (unsigned)t - coeff;
             ctx->filter[i] = coeff;
 
             cmode = coeff >> add_bits;