Browse code
avcodec/error_resilience: Fix integer overflow in filter181()
Fixes: runtime error: signed integer overflow: 197710 * 10923 cannot be represented in type 'int'
Fixes: 7010/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5667127596941312
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1c97035e3b1677d6f0c5b6161ebfeffcf7bb638d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer authored on 2018/04/23 04:46:05Showing 1 changed files
| ... | ... |
@@ -108,7 +108,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride) |
| 108 | 108 |
dc = -prev_dc + |
| 109 | 109 |
data[x + y * stride] * 8 - |
| 110 | 110 |
data[x + 1 + y * stride]; |
| 111 |
- dc = (dc * 10923 + 32768) >> 16; |
|
| 111 |
+ dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; |
|
| 112 | 112 |
prev_dc = data[x + y * stride]; |
| 113 | 113 |
data[x + y * stride] = dc; |
| 114 | 114 |
} |
| ... | ... |
@@ -124,7 +124,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride) |
| 124 | 124 |
dc = -prev_dc + |
| 125 | 125 |
data[x + y * stride] * 8 - |
| 126 | 126 |
data[x + (y + 1) * stride]; |
| 127 |
- dc = (dc * 10923 + 32768) >> 16; |
|
| 127 |
+ dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; |
|
| 128 | 128 |
prev_dc = data[x + y * stride]; |
| 129 | 129 |
data[x + y * stride] = dc; |
| 130 | 130 |
} |