From 58e66353243bf11643b653f7403be65c082d9888 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 23 Aug 2019 00:23:52 +0200 Subject: [PATCH] avcodec/mpeg4videodec: Fix integer overflow in mpeg4_decode_studio_block() Fixes: signed integer overflow: 24023040 * 112 cannot be represented in type 'int' Fixes: 16570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5173275211071488 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Kieran Kunhya Signed-off-by: Michael Niedermayer (cherry picked from commit 0e4a0e962cb0e422d2a350b875fc1e38d7b842a3) Signed-off-by: Michael Niedermayer --- libavcodec/mpeg4videodec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c index b6f2ae7b7b..25f528d59e 100644 --- a/libavcodec/mpeg4videodec.c +++ b/libavcodec/mpeg4videodec.c @@ -1826,6 +1826,7 @@ static int mpeg4_decode_studio_block(MpegEncContext *s, int32_t block[64], int n uint32_t flc; const int min = -1 * (1 << (s->avctx->bits_per_raw_sample + 6)); const int max = ((1 << (s->avctx->bits_per_raw_sample + 6)) - 1); + int shift = 3 - s->dct_precision; mismatch = 1; @@ -1921,7 +1922,7 @@ static int mpeg4_decode_studio_block(MpegEncContext *s, int32_t block[64], int n else block[j] = flc; } - block[j] = ((8 * 2 * block[j] * quant_matrix[j] * s->qscale) >> s->dct_precision) / 32; + block[j] = ((block[j] * quant_matrix[j] * s->qscale) * (1 << shift)) / 16; block[j] = av_clip(block[j], min, max); mismatch ^= block[j]; }