From f1954ff8d13b7d72cbdfe9515b7ae130d65bc2b0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Jul 2023 01:59:15 +0200 Subject: [PATCH] avcodec/vvc_parser: Avoid undefined overflow in POC computation The comments to the function say that it does not implement the spec and instead follows VTM. This patch is quite likely not the right solution and more intended to show the issue to people knowing the specific part of VTM ... Fixes: signed integer overflow: 2147483392 + 256 cannot be represented in type 'int' Fixes: 60505/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6216675924770816 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/vvc_parser.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/vvc_parser.c b/libavcodec/vvc_parser.c index 3951ebe50a..c661595e1e 100644 --- a/libavcodec/vvc_parser.c +++ b/libavcodec/vvc_parser.c @@ -225,10 +225,10 @@ static void get_slice_poc(VVCParserContext *s, int *poc, } else { if ((poc_lsb < prev_poc_lsb) && ((prev_poc_lsb - poc_lsb) >= (max_poc_lsb / 2))) - poc_msb = prev_poc_msb + max_poc_lsb; + poc_msb = prev_poc_msb + (unsigned)max_poc_lsb; else if ((poc_lsb > prev_poc_lsb) && ((poc_lsb - prev_poc_lsb) > (max_poc_lsb / 2))) - poc_msb = prev_poc_msb - max_poc_lsb; + poc_msb = prev_poc_msb - (unsigned)max_poc_lsb; else poc_msb = prev_poc_msb; }