From patchwork Sat Jul 22 02:35:23 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 4422
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.1.76 with SMTP id 73csp1653627vsb;
	Fri, 21 Jul 2017 19:35:44 -0700 (PDT)
X-Received: by 10.28.230.199 with SMTP id e68mr608283wmi.138.1500690944268;
	Fri, 21 Jul 2017 19:35:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1500690944; cv=none;
	d=google.com; s=arc-20160816;
	b=ItIAv5lBzpQOIHnJbxRa3cqVZMacCiZhTwQQXd4RTT6p/2b3ZUu/J6mefXuI7JS2dN
	zNzsuiEytvE8sWkEmMBdY9Vg0wSP0EcTaCKAaJ5BX477Or9qbO1ymYb38hvaWN/IdzEG
	3k4WuBHjEuZU2xw+zzCq6A0XM4UxmKXz9gwREtOY6C5HMOlBWmmHaleUMc3DbAHpP7nF
	asaY+Tclx/TPUY4zr+qnMZOyh5/4Adx0ObQq2+nE1Hlztt9DIb8upOu6eHtIKgMAxzep
	HaP3qqxwBTgimOrkD53ZPjf4b/8x5zJxekWqY3/AJAiN7U7n7rT6tiJxcPSTbeJUKYEW
	4FhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:message-id:date:to:from:delivered-to
	:arc-authentication-results;
	bh=7e9n2lKWvHyzPhnol2g3EtsVhKc80piEESwbsJbGh04=;
	b=ZbvO03DRbQ04ccesBAvM24Da90IPgJALXqC/JgGrCj6qgN/nbIC7LdMOv63z2UpAZC
	AAiFGvtygGNyqFTE6qsNfP0cRKjeWI3C39etpTk2WK8N1HyYfmp4qBT2SVxY6kTakAEX
	dCd0iS1PnrO9v1D+oXeH1QTlh3ypRWiQ1xiInVsSMJDYdJazh9hQoXozTSAUL3X8f03u
	xTkZnWsXgUA4d+quHGaXLlKqbUAiICoUYmO/TRtd8+EdmNKVkdjHIm2KRw+O56mA8qag
	vww1/Esl9t7Z7ff3NzfcTjXP9ZFk3PNakUUI6dWM0y3Ybk0Ua4WGUD+vqR1tfKbQFzEG
	G6Bg==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id 64si1529965wrs.352.2017.07.21.19.35.43;
	Fri, 21 Jul 2017 19:35:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D831968838D;
	Sat, 22 Jul 2017 05:35:30 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe05-1.mx.upcmail.net
	(vie01a-dmta-pe08-1.mx.upcmail.net [84.116.36.20])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id F2958688253
	for <ffmpeg-devel@ffmpeg.org>; Sat, 22 Jul 2017 05:35:24 +0300 (EEST)
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe08.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1dYkGS-0006tF-Rg
	for ffmpeg-devel@ffmpeg.org; Sat, 22 Jul 2017 04:35:32 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id nebR1v00f0S5wYM01ebSyt; Sat, 22 Jul 2017 04:35:26 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Sat, 22 Jul 2017 04:35:23 +0200
Message-Id: <20170722023524.23333-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.13.0
Subject: [FFmpeg-devel] [PATCH 1/2] avcodec/aacps: Fix multiple integer
	overflow in map_val_34_to_20()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: avcodec/aacps.c:511:40: runtime error: signed integer overflow: 1509077651 + 758068176 cannot be represented in type 'int'
Fixes: 2678/clusterfuzz-testcase-minimized-4702787684270080

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/aacps.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c
index 5758b919a1..b16c3393d1 100644
--- a/libavcodec/aacps.c
+++ b/libavcodec/aacps.c
@@ -504,13 +504,13 @@ static void map_idx_34_to_20(int8_t *par_mapped, const int8_t *par, int full)
 static void map_val_34_to_20(INTFLOAT par[PS_MAX_NR_IIDICC])
 {
 #if USE_FIXED
-    par[ 0] = (int)(((int64_t)(par[ 0] + (par[ 1]>>1)) * 1431655765 + \
+    par[ 0] = (int)(((int64_t)(par[ 0] + (unsigned)(par[ 1]>>1)) * 1431655765 + \
                       0x40000000) >> 31);
-    par[ 1] = (int)(((int64_t)((par[ 1]>>1) + par[ 2]) * 1431655765 + \
+    par[ 1] = (int)(((int64_t)((par[ 1]>>1) + (unsigned)par[ 2]) * 1431655765 + \
                       0x40000000) >> 31);
-    par[ 2] = (int)(((int64_t)(par[ 3] + (par[ 4]>>1)) * 1431655765 + \
+    par[ 2] = (int)(((int64_t)(par[ 3] + (unsigned)(par[ 4]>>1)) * 1431655765 + \
                       0x40000000) >> 31);
-    par[ 3] = (int)(((int64_t)((par[ 4]>>1) + par[ 5]) * 1431655765 + \
+    par[ 3] = (int)(((int64_t)((par[ 4]>>1) + (unsigned)par[ 5]) * 1431655765 + \
                       0x40000000) >> 31);
 #else
     par[ 0] = (2*par[ 0] +   par[ 1]) * 0.33333333f;