diff mbox

[FFmpeg-devel,1/3] avcodec/fic: Fixes signed integer overflow

Message ID 20170817221735.24154-1-michael@niedermayer.cc
State Accepted
Commit 0c9d5b015c2022e8deebb93367f8ee8a8eb779e8
Headers show

Commit Message

Michael Niedermayer Aug. 17, 2017, 10:17 p.m. UTC 
Fixes: runtime error: signed integer overflow: 1037142357 + 1227025305 cannot be represented in type 'int'
Fixes: 3024/clusterfuzz-testcase-minimized-5885660323905536

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/fic.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

Comments

Michael Niedermayer Aug. 19, 2017, 10:35 p.m. UTC | #1 
On Fri, Aug 18, 2017 at 12:17:33AM +0200, Michael Niedermayer wrote:
> Fixes: runtime error: signed integer overflow: 1037142357 + 1227025305 cannot be represented in type 'int'
> Fixes: 3024/clusterfuzz-testcase-minimized-5885660323905536
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/fic.c | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)

patchset applied

[...]
diff mbox

Patch

diff --git a/libavcodec/fic.c b/libavcodec/fic.c
index 46260ee281..d7ee370423 100644
--- a/libavcodec/fic.c
+++ b/libavcodec/fic.c
@@ -85,12 +85,12 @@  static const uint8_t fic_header[7] = { 0, 0, 1, 'F', 'I', 'C', 'V' };
 
 static av_always_inline void fic_idct(int16_t *blk, int step, int shift, int rnd)
 {
-    const int t0 =  27246 * blk[3 * step] + 18405 * blk[5 * step];
-    const int t1 =  27246 * blk[5 * step] - 18405 * blk[3 * step];
-    const int t2 =   6393 * blk[7 * step] + 32139 * blk[1 * step];
-    const int t3 =   6393 * blk[1 * step] - 32139 * blk[7 * step];
-    const unsigned t4 = 5793U * (t2 + t0 + 0x800 >> 12);
-    const unsigned t5 = 5793U * (t3 + t1 + 0x800 >> 12);
+    const unsigned t0 =  27246 * blk[3 * step] + 18405 * blk[5 * step];
+    const unsigned t1 =  27246 * blk[5 * step] - 18405 * blk[3 * step];
+    const unsigned t2 =   6393 * blk[7 * step] + 32139 * blk[1 * step];
+    const unsigned t3 =   6393 * blk[1 * step] - 32139 * blk[7 * step];
+    const unsigned t4 = 5793U * ((int)(t2 + t0 + 0x800) >> 12);
+    const unsigned t5 = 5793U * ((int)(t3 + t1 + 0x800) >> 12);
     const unsigned t6 = t2 - t0;
     const unsigned t7 = t3 - t1;
     const unsigned t8 =  17734 * blk[2 * step] - 42813 * blk[6 * step];