From cd66606a8f9124a75a126d579c18f263b874d3a5 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 5 Oct 2023 14:17:05 +0200 Subject: [PATCH] avcodec/bonk: Fix undefined overflow in predictor_calc_error() Fixes: signed integer overflow: -2146469728 - 1488954 cannot be represented in type 'int' Fixes: 62490/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5612782399389696 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/bonk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c index 6cd6a0af61..65679e5fb6 100644 --- a/libavcodec/bonk.c +++ b/libavcodec/bonk.c @@ -270,7 +270,7 @@ static inline int shift(int a, int b) static int predictor_calc_error(int *k, int *state, int order, int error) { - int i, x = error - shift_down(k[order-1] * (unsigned)state[order-1], LATTICE_SHIFT); + int i, x = error - (unsigned)shift_down(k[order-1] * (unsigned)state[order-1], LATTICE_SHIFT); int *k_ptr = &(k[order-2]), *state_ptr = &(state[order-2]);