[FFmpeg-cvslog] avcodec/rv40: Fix runtime error: left shift of negative value

Michael Niedermayer git at videolan.org
Tue Feb 21 16:32:13 EET 2017


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Tue Feb 21 03:05:32 2017 +0100| [956472a3236cc8eaeba5147c55b51bde6005c898] | committer: Michael Niedermayer

avcodec/rv40: Fix runtime error: left shift of negative value

Fixes: 630/clusterfuzz-testcase-6608718928019456

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=956472a3236cc8eaeba5147c55b51bde6005c898
---

 libavcodec/rv40.c    | 2 +-
 libavcodec/rv40dsp.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/rv40.c b/libavcodec/rv40.c
index e5ba215..dfeebda 100644
--- a/libavcodec/rv40.c
+++ b/libavcodec/rv40.c
@@ -189,7 +189,7 @@ static int rv40_decode_intra_types(RV34DecContext *r, GetBitContext *gb, int8_t
             A = ptr[-r->intra_types_stride + 1]; // it won't be used for the last coefficient in a row
             B = ptr[-r->intra_types_stride];
             C = ptr[-1];
-            pattern = A + (B << 4) + (C << 8);
+            pattern = A + B * (1 << 4) + C * (1 << 8);
             for(k = 0; k < MODE2_PATTERNS_NUM; k++)
                 if(pattern == rv40_aic_table_index[k])
                     break;
diff --git a/libavcodec/rv40dsp.c b/libavcodec/rv40dsp.c
index 19b0e93..95ba0a9 100644
--- a/libavcodec/rv40dsp.c
+++ b/libavcodec/rv40dsp.c
@@ -449,7 +449,7 @@ static av_always_inline void rv40_weak_loop_filter(uint8_t *src,
         if (u > 3 - (filter_p1 && filter_q1))
             continue;
 
-        t <<= 2;
+        t *= 1 << 2;
         if (filter_p1 && filter_q1)
             t += src[-2*step] - src[1*step];
 



More information about the ffmpeg-cvslog mailing list