@@ -848,7 +848,7 @@ static int predict_intra(AVCodecContext *avctx, AVFrame *frame, int ax, int ay,
uint8_t *left = frame->data[plane] + ay * frame->linesize[plane] + FFMAX(ax - 1, 0);
int bottommost = frame->data[plane][(ay + size - 1) * frame->linesize[plane] + FFMAX(ax - 1, 0)];
int rightmost = frame->data[plane][FFMAX(ay - 1, 0) * frame->linesize[plane] + ax + size - 1];
- int avg = (bottommost + rightmost + 1) / 2 + 2 * get_se_golomb(gb);
+ int avg = (bottommost + rightmost + 1) / 2 + 2 * av_clip(get_se_golomb(gb), -(1<<16), 1<<16);
int r6 = adjust(avg - bottommost, size);
int r9 = adjust(avg - rightmost, size);
int shift = adjust(size, size) == 8 ? 3 : 2;
Alternatively we could wrap around or error out. Wrap around would look most messy as downstream computations would need to wrap as well. I did not find a official specification which would list what to do with huge values. Fixes: signed integer overflow: 2 * 1073741952 cannot be represented in type 'int' Fixes: 26765/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOBICLIP_fuzzer-6594926936326144 Fixes: 29663/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MOBICLIP_fuzzer-5169789012148224 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/mobiclip.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)