[FFmpeg-cvslog] avcodec/apedec: Fix 2 signed overflows

Michael Niedermayer git at videolan.org
Mon Aug 5 20:50:21 EEST 2019


ffmpeg | branch: release/4.2 | Michael Niedermayer <michael at niedermayer.cc> | Sun Aug  4 09:46:34 2019 +0200| [739f93ebe1a2da7ec7072101dd354adfbe0b00f4] | committer: Michael Niedermayer

avcodec/apedec: Fix 2 signed overflows

Fixes: left shift of 1073741824 by 1 places cannot be represented in type 'int'
Fixes: signed integer overflow: 2049431315 + 262759074 cannot be represented in type 'int'
Fixes: 16012/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5719016003338240

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 392c028cd23d128f33d93b2159eed5de42f72b4d)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=739f93ebe1a2da7ec7072101dd354adfbe0b00f4
---

 libavcodec/apedec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index 1a86ac1786..b9df8c6b12 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -589,7 +589,7 @@ static void decode_array_0000(APEContext *ctx, GetBitContext *gb,
                               int32_t *out, APERice *rice, int blockstodecode)
 {
     int i;
-    int ksummax, ksummin;
+    unsigned ksummax, ksummin;
 
     rice->ksum = 0;
     for (i = 0; i < FFMIN(blockstodecode, 5); i++) {
@@ -836,7 +836,7 @@ static av_always_inline int filter_fast_3320(APEPredictor *p,
     else
         p->coeffsA[filter][0]--;
 
-    p->filterA[filter] += p->lastA[filter];
+    p->filterA[filter] += (unsigned)p->lastA[filter];
 
     return p->filterA[filter];
 }



More information about the ffmpeg-cvslog mailing list