From 2e260c2271c1f65af46e493669d26af0ba6ac97d Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 24 Aug 2019 00:11:02 +0200 Subject: [PATCH] avcodec/aacps: Fix integer overflows in hybrid_synthesis() Fixes: signed integer overflow: -822667928 + -1399761199 cannot be represented in type 'int' Fixes: 15756/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5645182051024896 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit ec749ed2225e0c33f0910fc318c73da6f4ceb587) Signed-off-by: Michael Niedermayer --- libavcodec/aacps.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c index d5dca64b0f..22df160fe7 100644 --- a/libavcodec/aacps.c +++ b/libavcodec/aacps.c @@ -414,33 +414,33 @@ static void hybrid_synthesis(PSDSPContext *dsp, INTFLOAT out[2][38][64], memset(out[0][n], 0, 5*sizeof(out[0][n][0])); memset(out[1][n], 0, 5*sizeof(out[1][n][0])); for (i = 0; i < 12; i++) { - out[0][n][0] += in[ i][n][0]; - out[1][n][0] += in[ i][n][1]; + out[0][n][0] += (UINTFLOAT)in[ i][n][0]; + out[1][n][0] += (UINTFLOAT)in[ i][n][1]; } for (i = 0; i < 8; i++) { - out[0][n][1] += in[12+i][n][0]; - out[1][n][1] += in[12+i][n][1]; + out[0][n][1] += (UINTFLOAT)in[12+i][n][0]; + out[1][n][1] += (UINTFLOAT)in[12+i][n][1]; } for (i = 0; i < 4; i++) { - out[0][n][2] += in[20+i][n][0]; - out[1][n][2] += in[20+i][n][1]; - out[0][n][3] += in[24+i][n][0]; - out[1][n][3] += in[24+i][n][1]; - out[0][n][4] += in[28+i][n][0]; - out[1][n][4] += in[28+i][n][1]; + out[0][n][2] += (UINTFLOAT)in[20+i][n][0]; + out[1][n][2] += (UINTFLOAT)in[20+i][n][1]; + out[0][n][3] += (UINTFLOAT)in[24+i][n][0]; + out[1][n][3] += (UINTFLOAT)in[24+i][n][1]; + out[0][n][4] += (UINTFLOAT)in[28+i][n][0]; + out[1][n][4] += (UINTFLOAT)in[28+i][n][1]; } } dsp->hybrid_synthesis_deint(out, in + 27, 5, len); } else { for (n = 0; n < len; n++) { - out[0][n][0] = in[0][n][0] + in[1][n][0] + in[2][n][0] + - in[3][n][0] + in[4][n][0] + in[5][n][0]; - out[1][n][0] = in[0][n][1] + in[1][n][1] + in[2][n][1] + - in[3][n][1] + in[4][n][1] + in[5][n][1]; - out[0][n][1] = in[6][n][0] + in[7][n][0]; - out[1][n][1] = in[6][n][1] + in[7][n][1]; - out[0][n][2] = in[8][n][0] + in[9][n][0]; - out[1][n][2] = in[8][n][1] + in[9][n][1]; + out[0][n][0] = (UINTFLOAT)in[0][n][0] + in[1][n][0] + in[2][n][0] + + (UINTFLOAT)in[3][n][0] + in[4][n][0] + in[5][n][0]; + out[1][n][0] = (UINTFLOAT)in[0][n][1] + in[1][n][1] + in[2][n][1] + + (UINTFLOAT)in[3][n][1] + in[4][n][1] + in[5][n][1]; + out[0][n][1] = (UINTFLOAT)in[6][n][0] + in[7][n][0]; + out[1][n][1] = (UINTFLOAT)in[6][n][1] + in[7][n][1]; + out[0][n][2] = (UINTFLOAT)in[8][n][0] + in[9][n][0]; + out[1][n][2] = (UINTFLOAT)in[8][n][1] + in[9][n][1]; } dsp->hybrid_synthesis_deint(out, in + 7, 3, len); }