diff mbox

[FFmpeg-devel,2/2] avcodec/h264addpx_template: Fixes integer overflows

Message ID 20180107031258.12135-2-michael@niedermayer.cc
State Accepted
Commit d6945aeee419a8417b8019c7c92227e12e45b7ad
Headers show

Commit Message

Michael Niedermayer Jan. 7, 2018, 3:12 a.m. UTC 
Fixes: signed integer overflow: 512 + 2147483491 cannot be represented in type 'int'
Fixes: 4780/clusterfuzz-testcase-minimized-4709066174627840

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/h264addpx_template.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

Comments

Michael Niedermayer Jan. 8, 2018, 8:53 p.m. UTC | #1 
On Sun, Jan 07, 2018 at 04:12:58AM +0100, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 512 + 2147483491 cannot be represented in type 'int'
> Fixes: 4780/clusterfuzz-testcase-minimized-4709066174627840
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/h264addpx_template.c | 24 ++++++++++++------------
>  1 file changed, 12 insertions(+), 12 deletions(-)

will apply

[...]
diff mbox

Patch

diff --git a/libavcodec/h264addpx_template.c b/libavcodec/h264addpx_template.c
index b71aaea439..9a1e6a2f2f 100644
--- a/libavcodec/h264addpx_template.c
+++ b/libavcodec/h264addpx_template.c
@@ -35,10 +35,10 @@  static void FUNCC(ff_h264_add_pixels4)(uint8_t *_dst, int16_t *_src, int stride)
     stride /= sizeof(pixel);
 
     for (i = 0; i < 4; i++) {
-        dst[0] += src[0];
-        dst[1] += src[1];
-        dst[2] += src[2];
-        dst[3] += src[3];
+        dst[0] += (unsigned)src[0];
+        dst[1] += (unsigned)src[1];
+        dst[2] += (unsigned)src[2];
+        dst[3] += (unsigned)src[3];
 
         dst += stride;
         src += 4;
@@ -55,14 +55,14 @@  static void FUNCC(ff_h264_add_pixels8)(uint8_t *_dst, int16_t *_src, int stride)
     stride /= sizeof(pixel);
 
     for (i = 0; i < 8; i++) {
-        dst[0] += src[0];
-        dst[1] += src[1];
-        dst[2] += src[2];
-        dst[3] += src[3];
-        dst[4] += src[4];
-        dst[5] += src[5];
-        dst[6] += src[6];
-        dst[7] += src[7];
+        dst[0] += (unsigned)src[0];
+        dst[1] += (unsigned)src[1];
+        dst[2] += (unsigned)src[2];
+        dst[3] += (unsigned)src[3];
+        dst[4] += (unsigned)src[4];
+        dst[5] += (unsigned)src[5];
+        dst[6] += (unsigned)src[6];
+        dst[7] += (unsigned)src[7];
 
         dst += stride;
         src += 8;