From f95f9f975598262d7acdf9f4611bd1e775203f7b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 22 May 2017 22:19:23 +0200 Subject: [PATCH] avcodec/takdec: Fix runtime error: signed integer overflow: 2146548196 + 2156738 cannot be represented in type 'int' Fixes: 1743/clusterfuzz-testcase-minimized-4994834022531072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/takdec.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c index 78e82a9d41..512bd5a4ac 100644 --- a/libavcodec/takdec.c +++ b/libavcodec/takdec.c @@ -203,7 +203,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length) return; if (mode == 1) { - int a1 = *coeffs++; + unsigned a1 = *coeffs++; for (i = 0; i < length - 1 >> 1; i++) { *coeffs += a1; coeffs[1] += *coeffs; @@ -213,14 +213,14 @@ static void decode_lpc(int32_t *coeffs, int mode, int length) if (length - 1 & 1) *coeffs += a1; } else if (mode == 2) { - int a1 = coeffs[1]; - int a2 = a1 + *coeffs; + unsigned a1 = coeffs[1]; + unsigned a2 = a1 + *coeffs; coeffs[1] = a2; if (length > 2) { coeffs += 2; for (i = 0; i < length - 2 >> 1; i++) { - int a3 = *coeffs + a1; - int a4 = a3 + a2; + unsigned a3 = *coeffs + a1; + unsigned a4 = a3 + a2; *coeffs = a4; a1 = coeffs[1] + a3; a2 = a1 + a4; @@ -231,13 +231,13 @@ static void decode_lpc(int32_t *coeffs, int mode, int length) *coeffs += a1 + a2; } } else if (mode == 3) { - int a1 = coeffs[1]; - int a2 = a1 + *coeffs; + unsigned a1 = coeffs[1]; + unsigned a2 = a1 + *coeffs; coeffs[1] = a2; if (length > 2) { - int a3 = coeffs[2]; - int a4 = a3 + a1; - int a5 = a4 + a2; + unsigned a3 = coeffs[2]; + unsigned a4 = a3 + a1; + unsigned a5 = a4 + a2; coeffs[2] = a5; coeffs += 3; for (i = 0; i < length - 3; i++) {