avcodec/dca: Fix multiple runtime error: signed integer overflow

Fixes: 680/clusterfuzz-testcase-5416627266912256 Fixes: 681/clusterfuzz-testcase-5013323462475776 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-02-26 20:28:02 +01:00 · 2017-02-26 20:28:02 +01:00 · 949d2176ef
parent 63e400a880
commit 949d2176ef
2 changed files with 3 additions and 3 deletions
--- a/libavcodec/dca_xll.c
+++ b/libavcodec/dca_xll.c
@ -652,7 +652,7 @@ static void chs_filter_band_data(DCAXllDecoder *s, DCAXllChSet *c, int band)
                int64_t err = 0;
                for (k = 0; k < order; k++)
                    err += (int64_t)buf[j + k] * coeff[order - k - 1];
-                buf[j + k] -= clip23(norm16(err));
+                buf[j + k] -= (SUINT)clip23(norm16(err));
            }
        } else {
            // Inverse fixed coefficient prediction
@ -1308,7 +1308,7 @@ static int combine_residual_frame(DCAXllDecoder *s, DCAXllChSet *c)
            // Undo embedded core downmix pre-scaling
            int scale_inv = o->dmix_scale_inv[c->hier_ofs + ch];
            for (n = 0; n < nsamples; n++)
-                dst[n] += clip23((mul16(src[n], scale_inv) + round) >> shift);
+                dst[n] += (SUINT)clip23((mul16(src[n], scale_inv) + round) >> shift);
        } else {
            // No downmix scaling
            for (n = 0; n < nsamples; n++)
--- a/libavcodec/dcadsp.c
+++ b/libavcodec/dcadsp.c
@ -300,7 +300,7 @@ static void decor_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t len)
    int i;

    for (i = 0; i < len; i++)
-        dst[i] += (int)(src[i] * (SUINT)coeff + (1 << 2)) >> 3;
+        dst[i] += (SUINT)((int)(src[i] * (SUINT)coeff + (1 << 2)) >> 3);
 }

 static void dmix_sub_xch_c(int32_t *dst1, int32_t *dst2,