diff mbox series

[FFmpeg-devel,1/3] avcodec/rka: use unsigned for buf0 additions

Message ID 20230608171825.6575-1-michael@niedermayer.cc
State Accepted
Commit e736238b35a1e0f69fe8e5a9a7359ba24883c488
Headers show
Series [FFmpeg-devel,1/3] avcodec/rka: use unsigned for buf0 additions | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer June 8, 2023, 5:18 p.m. UTC 
Fixes: signed integer overflow: -38912000 + -2109276160 cannot be represented in type 'int'
Fixes: 59670/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RKA_fuzzer-4987563245699072

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/rka.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Michael Niedermayer June 18, 2023, 12:18 p.m. UTC | #1 
On Thu, Jun 08, 2023 at 07:18:23PM +0200, Michael Niedermayer wrote:
> Fixes: signed integer overflow: -38912000 + -2109276160 cannot be represented in type 'int'
> Fixes: 59670/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RKA_fuzzer-4987563245699072
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/rka.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

will apply patchset

[...]
diff mbox series

Patch

diff --git a/libavcodec/rka.c b/libavcodec/rka.c
index 76dca52602..d56f4faee4 100644
--- a/libavcodec/rka.c
+++ b/libavcodec/rka.c
@@ -735,10 +735,10 @@  static int decode_filter(RKAContext *s, ChContext *ctx, ACoder *ac, int off, uns
                     ctx->buf1[off] = (val + (sum >> bits)) * (1U << bits) +
                         (((1U << bits) - 1U) & ctx->buf1[off + -1]);
                 }
-                ctx->buf0[off] = ctx->buf1[off] + ctx->buf0[off + -1];
+                ctx->buf0[off] = ctx->buf1[off] + (unsigned)ctx->buf0[off + -1];
             } else {
                 val *= 1U << ctx->cmode;
-                sum += ctx->buf0[off + -1] + val;
+                sum += ctx->buf0[off + -1] + (unsigned)val;
                 switch (s->bps) {
                 case 16: sum = av_clip_int16(sum); break;
                 case  8: sum = av_clip_int8(sum);  break;