From 574f3aaeff6d04762f02044f1ee1e3564bc3ad00 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 18 Jun 2023 22:41:01 +0200 Subject: [PATCH] avcodec/vmixdec: Fix several integer anomalies Fixes: vmixdec.c:132:34: runtime error: signed integer overflow: -2147483648 * 1856 cannot be represented in type 'int' Fixes: vmixdec.c:119:20: runtime error: signed integer overflow: -1256 + -2147483648 cannot be represented in type 'int' Fixes: vmixdec.c:137:36: runtime error: signed integer overflow: 2147483416 * 16 cannot be represented in type 'int' Fixes: 59843/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VMIX_fuzzer-4857434624360448 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/vmixdec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/vmixdec.c b/libavcodec/vmixdec.c index d0f2219a67..b77c90929a 100644 --- a/libavcodec/vmixdec.c +++ b/libavcodec/vmixdec.c @@ -116,7 +116,7 @@ static int decode_dcac(AVCodecContext *avctx, dc_run--; } else { dc_v = get_se_golomb_vmix(dc_gb); - dc += dc_v; + dc += (unsigned)dc_v; if (!dc_v) dc_run = get_ue_golomb_long(dc_gb); } @@ -129,12 +129,12 @@ static int decode_dcac(AVCodecContext *avctx, ac_v = get_se_golomb_vmix(ac_gb); i = scan[n]; - block[i] = (ac_v * factors[i]) >> 4; + block[i] = ((unsigned)ac_v * factors[i]) >> 4; if (!ac_v) ac_run = get_ue_golomb_long(ac_gb); } - block[0] = ((dc + add) * 16) >> 4; + block[0] = dc + add; s->idsp.idct_put(dst + x, linesize, block); }