Fixes: runtime error: signed integer overflow: 197710 * 10923 cannot be represented in type 'int'
Fixes: 7010/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5667127596941312
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 1c97035e3b1677d6f0c5b6161ebfeffcf7bb638d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
... | ... |
@@ -108,7 +108,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride) |
108 | 108 |
dc = -prev_dc + |
109 | 109 |
data[x + y * stride] * 8 - |
110 | 110 |
data[x + 1 + y * stride]; |
111 |
- dc = (dc * 10923 + 32768) >> 16; |
|
111 |
+ dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; |
|
112 | 112 |
prev_dc = data[x + y * stride]; |
113 | 113 |
data[x + y * stride] = dc; |
114 | 114 |
} |
... | ... |
@@ -124,7 +124,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride) |
124 | 124 |
dc = -prev_dc + |
125 | 125 |
data[x + y * stride] * 8 - |
126 | 126 |
data[x + (y + 1) * stride]; |
127 |
- dc = (dc * 10923 + 32768) >> 16; |
|
127 |
+ dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16; |
|
128 | 128 |
prev_dc = data[x + y * stride]; |
129 | 129 |
data[x + y * stride] = dc; |
130 | 130 |
} |