mirror of https://git.ffmpeg.org/ffmpeg.git
avutil/lfg: Correct index increment type to avoid undefined behavior
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 18333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COMFORTNOISE_fuzzer-5668481831272448
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6014bcf1b7
)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
3a6ef19263
commit
f0bd54aaa7
|
@ -51,8 +51,9 @@ int av_lfg_init_from_data(AVLFG *c, const uint8_t *data, unsigned int length);
|
||||||
* it may be good enough and faster for your specific use case.
|
* it may be good enough and faster for your specific use case.
|
||||||
*/
|
*/
|
||||||
static inline unsigned int av_lfg_get(AVLFG *c){
|
static inline unsigned int av_lfg_get(AVLFG *c){
|
||||||
c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63];
|
unsigned a = c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63];
|
||||||
return c->state[c->index++ & 63];
|
c->index += 1U;
|
||||||
|
return a;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -63,7 +64,9 @@ static inline unsigned int av_lfg_get(AVLFG *c){
|
||||||
static inline unsigned int av_mlfg_get(AVLFG *c){
|
static inline unsigned int av_mlfg_get(AVLFG *c){
|
||||||
unsigned int a= c->state[(c->index-55) & 63];
|
unsigned int a= c->state[(c->index-55) & 63];
|
||||||
unsigned int b= c->state[(c->index-24) & 63];
|
unsigned int b= c->state[(c->index-24) & 63];
|
||||||
return c->state[c->index++ & 63] = 2*a*b+a+b;
|
a = c->state[c->index & 63] = 2*a*b+a+b;
|
||||||
|
c->index += 1U;
|
||||||
|
return a;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
Loading…
Reference in New Issue