diff mbox

[FFmpeg-devel] avcodec/aacps (fixed point): Fix multiple signed integer overflows

Message ID 20170709162758.1033-1-michael@niedermayer.cc
State Accepted
Commit 80b9e40b6f1e15db9f36c195e7375e65f6b4924f
Headers show

Commit Message

Michael Niedermayer July 9, 2017, 4:27 p.m. UTC 
Fixes: runtime error: signed integer overflow: 1421978265 - -1810326882 cannot be represented in type 'int'
Fixes: 2527/clusterfuzz-testcase-minimized-5260915396050944

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/aacps.c | 25 ++++++++-----------------
 1 file changed, 8 insertions(+), 17 deletions(-)

Comments

Michael Niedermayer July 12, 2017, 2:50 a.m. UTC | #1 
On Sun, Jul 09, 2017 at 06:27:58PM +0200, Michael Niedermayer wrote:
> Fixes: runtime error: signed integer overflow: 1421978265 - -1810326882 cannot be represented in type 'int'
> Fixes: 2527/clusterfuzz-testcase-minimized-5260915396050944
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/aacps.c | 25 ++++++++-----------------
>  1 file changed, 8 insertions(+), 17 deletions(-)

applied

[...]
diff mbox

Patch

diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c
index 473da7bd43..5758b919a1 100644
--- a/libavcodec/aacps.c
+++ b/libavcodec/aacps.c
@@ -697,26 +697,17 @@  static void decorrelation(PSContext *ps, INTFLOAT (*out)[32][2], const INTFLOAT
     for (i = 0; i < NR_PAR_BANDS[is34]; i++) {
         for (n = n0; n < nL; n++) {
             int decayed_peak;
-            int denom;
-
             decayed_peak = (int)(((int64_t)peak_decay_factor * \
                                            peak_decay_nrg[i] + 0x40000000) >> 31);
             peak_decay_nrg[i] = FFMAX(decayed_peak, power[i][n]);
-            power_smooth[i] += (power[i][n] - power_smooth[i] + 2) >> 2;
-            peak_decay_diff_smooth[i] += (peak_decay_nrg[i] - power[i][n] - \
-                                          peak_decay_diff_smooth[i] + 2) >> 2;
-            denom = peak_decay_diff_smooth[i] + (peak_decay_diff_smooth[i] >> 1);
-            if (denom > power_smooth[i]) {
-              int p = power_smooth[i];
-              while (denom < 0x40000000) {
-                denom <<= 1;
-                p <<= 1;
-              }
-              transient_gain[i][n] = p / (denom >> 16);
-            }
-            else {
-              transient_gain[i][n] = 1 << 16;
-            }
+            power_smooth[i] += (power[i][n] + 2LL - power_smooth[i]) >> 2;
+            peak_decay_diff_smooth[i] += (peak_decay_nrg[i] + 2LL - power[i][n] - \
+                                          peak_decay_diff_smooth[i]) >> 2;
+
+            if (peak_decay_diff_smooth[i]) {
+                transient_gain[i][n] = FFMIN(power_smooth[i]*43691LL / peak_decay_diff_smooth[i], 1<<16);
+            } else
+                transient_gain[i][n] = 1 << 16;
         }
     }
 #else