RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

avcodec/takdec: Fix runtime error: signed integer overflow: 2146548196 + 2156738 cannot be represented in type 'int' 

Fixes: 1743/clusterfuzz-testcase-minimized-4994834022531072

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2017-05-22 22:19:23 +02:00
parent 0ce7cf0c86
commit f95f9f9755
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
libavcodec/takdec.c
View File

@ -203,7 +203,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length)
return;
if (mode == 1) {
int a1 = *coeffs++;
unsigned a1 = *coeffs++;
for (i = 0; i < length - 1 >> 1; i++) {
*coeffs += a1;
coeffs[1] += *coeffs;
@ -213,14 +213,14 @@ static void decode_lpc(int32_t *coeffs, int mode, int length)
if (length - 1 & 1)
*coeffs += a1;
} else if (mode == 2) {
int a1 = coeffs[1];
int a2 = a1 + *coeffs;
unsigned a1 = coeffs[1];
unsigned a2 = a1 + *coeffs;
coeffs[1] = a2;
if (length > 2) {
coeffs += 2;
for (i = 0; i < length - 2 >> 1; i++) {
int a3 = *coeffs + a1;
int a4 = a3 + a2;
unsigned a3 = *coeffs + a1;
unsigned a4 = a3 + a2;
*coeffs = a4;
a1 = coeffs[1] + a3;
a2 = a1 + a4;
@ -231,13 +231,13 @@ static void decode_lpc(int32_t *coeffs, int mode, int length)
*coeffs += a1 + a2;
}
} else if (mode == 3) {
int a1 = coeffs[1];
int a2 = a1 + *coeffs;
unsigned a1 = coeffs[1];
unsigned a2 = a1 + *coeffs;
coeffs[1] = a2;
if (length > 2) {
int a3 = coeffs[2];
int a4 = a3 + a1;
int a5 = a4 + a2;
unsigned a3 = coeffs[2];
unsigned a4 = a3 + a1;
unsigned a5 = a4 + a2;
coeffs[2] = a5;
coeffs += 3;
for (i = 0; i < length - 3; i++) {