From patchwork Wed Jul 26 19:49:30 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 4466
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 10.103.1.76 with SMTP id 73csp1163120vsb;
	Wed, 26 Jul 2017 12:49:46 -0700 (PDT)
X-Received: by 10.223.178.85 with SMTP id y21mr1661286wra.92.1501098586611;
	Wed, 26 Jul 2017 12:49:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1501098586; cv=none;
	d=google.com; s=arc-20160816;
	b=DL4x+t9kca4x/FWs6TJb3Dp2wq4lbyWYIIvkmVuPfJBfWKygnypDBNBtb3Ttxn+hJC
	JZ2zSMgyrqLKqgkaXO6fSTZXUm5N20GtsJdVuaXeBkXuheS6jGteVFaLucazU4qqypzG
	AWOBQ8APHyX9vGv5g4CmENsK399aY2NdpLWucSEbioCoiUUfkYnBhRC4u78MjyR2ISJS
	5A8JtvY2tTSkJEVLZBXaSjmdo5oYzIZ2s6AgXoB6Wq9Xq2zJFv+qJtmMK+6hem6jEt5Y
	K1/ZzV1jehuRu+INb3b6t0eRu0NFzN5auiiDJhISiwB4/lDN1wQcJdfBdsFK+WDZlsGN
	iHlQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:message-id:date:to:from:delivered-to
	:arc-authentication-results;
	bh=MjmIDJhZklFI0wqFbOxs1jtmess1xFdIfC/p3iOtES4=;
	b=v4Y77JB4NksDaJ4vQRORcFAavB1ueXy1OB37z+IDv37LatJPl1hjB4K+z58CwkIt9k
	61ycE9Z6Q84ASDn93N6lTjMiMXP+whhBIW5RuvSLj2cFYFKW7ilojrePc/WuXYoXUN8o
	bJTxJz/GrrgBdb6jhJYigIvtEm24SPA0GJaB0B/02yewrI8BCMnx0qdeTjum6KsOsRuG
	sKmc4AK5li6Wki3SbjYRQXHhwCeyvlxg4J2Vc1w9wKJpYSy4Un+ouZ1rGTvjkAX9MtoO
	7jpHpE3/60WF2Nkoe3fEjdpIA9zpaBaRsW3RkW3l6H5R3964tdfSkfkhjyoYkxjTLxBn
	WTSQ==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	63si17395353wro.343.2017.07.26.12.49.45;
	Wed, 26 Jul 2017 12:49:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5CD33689A05;
	Wed, 26 Jul 2017 22:49:42 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe01-2.mx.upcmail.net
	(vie01a-dmta-pe01-2.mx.upcmail.net [62.179.121.155])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 37742689257
	for <ffmpeg-devel@ffmpeg.org>; Wed, 26 Jul 2017 22:49:35 +0300 (EEST)
Received: from [172.31.216.43] (helo=vie01a-pemc-psmtp-pe01)
	by vie01a-dmta-pe01.mx.upcmail.net with esmtp (Exim 4.88)
	(envelope-from <michael@niedermayer.cc>) id 1daSJK-0003qw-Rd
	for ffmpeg-devel@ffmpeg.org; Wed, 26 Jul 2017 21:49:34 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe01 with SMTP @ mailcloud.upcmail.net
	id pXpW1v00w0S5wYM01XpXNF; Wed, 26 Jul 2017 21:49:31 +0200
X-SourceIP: 213.47.41.20
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Wed, 26 Jul 2017 21:49:30 +0200
Message-Id: <20170726194930.14739-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.13.0
Subject: [FFmpeg-devel] [PATCH] avcodec/diracdec: Fix integer overflow in
	signed multiplication in UNPACK_ARITH()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Fixes: runtime error: signed integer overflow: 1073741823 * 4 cannot be represented in type 'int'
Fixes: 2729/clusterfuzz-testcase-minimized-5902915464069120

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/diracdec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/diracdec.c b/libavcodec/diracdec.c
index 71d0ff41b2..d2262ebbf5 100644
--- a/libavcodec/diracdec.c
+++ b/libavcodec/diracdec.c
@@ -454,7 +454,8 @@ static inline int coeff_unpack_golomb(GetBitContext *gb, int qfactor, int qoffse
     static inline void coeff_unpack_arith_##n(DiracArith *c, int qfactor, int qoffset, \
                                               SubBand *b, type *buf, int x, int y) \
     { \
-        int coeff, sign, sign_pred = 0, pred_ctx = CTX_ZPZN_F1; \
+        int sign, sign_pred = 0, pred_ctx = CTX_ZPZN_F1; \
+        unsigned coeff; \
         const int mstride = -(b->stride >> (1+b->pshift)); \
         if (b->parent) { \
             const type *pbuf = (type *)b->parent->ibuf; \