summaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2018-04-22 21:46:05 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2018-04-25 23:09:47 +0200
commit1c97035e3b1677d6f0c5b6161ebfeffcf7bb638d (patch)
tree6bf336189765c7676ffbd875eb48bb3f8534baa2 /libavcodec
parentde841fbea7655b74a9663001e01008a86c88779a (diff)
downloadffmpeg-streaming-1c97035e3b1677d6f0c5b6161ebfeffcf7bb638d.zip
ffmpeg-streaming-1c97035e3b1677d6f0c5b6161ebfeffcf7bb638d.tar.gz
avcodec/error_resilience: Fix integer overflow in filter181()
Fixes: runtime error: signed integer overflow: 197710 * 10923 cannot be represented in type 'int' Fixes: 7010/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-5667127596941312 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/error_resilience.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/error_resilience.c b/libavcodec/error_resilience.c
index 25e54a5..339042e 100644
--- a/libavcodec/error_resilience.c
+++ b/libavcodec/error_resilience.c
@@ -107,7 +107,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride)
dc = -prev_dc +
data[x + y * stride] * 8 -
data[x + 1 + y * stride];
- dc = (dc * 10923 + 32768) >> 16;
+ dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16;
prev_dc = data[x + y * stride];
data[x + y * stride] = dc;
}
@@ -123,7 +123,7 @@ static void filter181(int16_t *data, int width, int height, ptrdiff_t stride)
dc = -prev_dc +
data[x + y * stride] * 8 -
data[x + (y + 1) * stride];
- dc = (dc * 10923 + 32768) >> 16;
+ dc = (av_clip(dc, INT_MIN/10923, INT_MAX/10923 - 32768) * 10923 + 32768) >> 16;
prev_dc = data[x + y * stride];
data[x + y * stride] = dc;
}
OpenPOWER on IntegriCloud