Browse code
avcodec/dxv: Correct integer overflow in get_opcodes()
Fixes: 13099/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DXV_fuzzer-5665598896340992
Fixes: signed integer overflow: 2147483647 + 7 cannot be represented in type 'int'
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 6e0b5d3a20e107860a34e90139b860d6b8219a1d)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer authored on 2019/03/03 08:47:47Showing 1 changed files
| ... | ... |
@@ -426,7 +426,8 @@ static int fill_optable(unsigned *table0, OpcodeTable *table1, int nb_elements) |
| 426 | 426 |
static int get_opcodes(GetByteContext *gb, uint32_t *table, uint8_t *dst, int op_size, int nb_elements) |
| 427 | 427 |
{
|
| 428 | 428 |
OpcodeTable optable[1024]; |
| 429 |
- int sum, x, val, lshift, rshift, ret, size_in_bits, i, idx; |
|
| 429 |
+ int sum, x, val, lshift, rshift, ret, i, idx; |
|
| 430 |
+ int64_t size_in_bits; |
|
| 430 | 431 |
unsigned endoffset, newoffset, offset; |
| 431 | 432 |
unsigned next; |
| 432 | 433 |
uint8_t *src = (uint8_t *)gb->buffer; |