Browse code
avcodec/mjpegdec: Fix integer overflow in shift
Fixes: signal_sigabrt_7ffff6ac7bb9_2683_cov_4120310995_m_ijpg.avi
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 970a8f1c256f08d2f6414d573a54f2fa035c8e7a)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2014/11/28 03:27:05Showing 1 changed files
| ... | ... |
@@ -244,7 +244,8 @@ int ff_mjpeg_decode_dht(MJpegDecodeContext *s) |
| 244 | 244 |
|
| 245 | 245 |
int ff_mjpeg_decode_sof(MJpegDecodeContext *s) |
| 246 | 246 |
{
|
| 247 |
- int len, nb_components, i, width, height, bits, pix_fmt_id, ret; |
|
| 247 |
+ int len, nb_components, i, width, height, bits, ret; |
|
| 248 |
+ unsigned pix_fmt_id; |
|
| 248 | 249 |
int h_count[MAX_COMPONENTS]; |
| 249 | 250 |
int v_count[MAX_COMPONENTS]; |
| 250 | 251 |
|
| ... | ... |
@@ -378,7 +379,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) |
| 378 | 378 |
else if (!s->lossless) |
| 379 | 379 |
s->rgb = 0; |
| 380 | 380 |
/* XXX: not complete test ! */ |
| 381 |
- pix_fmt_id = (s->h_count[0] << 28) | (s->v_count[0] << 24) | |
|
| 381 |
+ pix_fmt_id = ((unsigned)s->h_count[0] << 28) | (s->v_count[0] << 24) | |
|
| 382 | 382 |
(s->h_count[1] << 20) | (s->v_count[1] << 16) | |
| 383 | 383 |
(s->h_count[2] << 12) | (s->v_count[2] << 8) | |
| 384 | 384 |
(s->h_count[3] << 4) | s->v_count[3]; |