From ec849f637e8548ec6c9b6329334944c7c81df443 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 22 Feb 2017 22:07:35 +0100
Subject: [PATCH] avcodec/h264idct_template: Fix several runtime error: signed
 integer overflow

Fixes: 652/clusterfuzz-testcase-6174944410992640

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/h264idct_template.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_template.c
index a90c407388..c00900b658 100644
--- a/libavcodec/h264idct_template.c
+++ b/libavcodec/h264idct_template.c
@@ -289,15 +289,15 @@ void FUNCC(ff_h264_chroma422_dc_dequant_idct)(int16_t *_block, int qmul){
 
     for(i=0; i<2; i++){
         const int offset= x_offset[i];
-        const int z0= temp[2*0+i] + temp[2*2+i];
-        const int z1= temp[2*0+i] - temp[2*2+i];
-        const int z2= temp[2*1+i] - temp[2*3+i];
-        const int z3= temp[2*1+i] + temp[2*3+i];
+        const SUINT z0= temp[2*0+i] + temp[2*2+i];
+        const SUINT z1= temp[2*0+i] - temp[2*2+i];
+        const SUINT z2= temp[2*1+i] - temp[2*3+i];
+        const SUINT z3= temp[2*1+i] + temp[2*3+i];
 
-        block[stride*0+offset]= ((z0 + z3)*qmul + 128) >> 8;
-        block[stride*1+offset]= ((z1 + z2)*qmul + 128) >> 8;
-        block[stride*2+offset]= ((z1 - z2)*qmul + 128) >> 8;
-        block[stride*3+offset]= ((z0 - z3)*qmul + 128) >> 8;
+        block[stride*0+offset]= (int)((z0 + z3)*qmul + 128) >> 8;
+        block[stride*1+offset]= (int)((z1 + z2)*qmul + 128) >> 8;
+        block[stride*2+offset]= (int)((z1 - z2)*qmul + 128) >> 8;
+        block[stride*3+offset]= (int)((z0 - z3)*qmul + 128) >> 8;
     }
 }