[FFmpeg-cvslog] avcodec/mpeg4videodec: Fix 2 integer overflows in get_amv()

Michael Niedermayer git at videolan.org
Tue Jul 7 21:41:16 EEST 2020


ffmpeg | branch: release/4.2 | Michael Niedermayer <michael at niedermayer.cc> | Thu Jun 11 22:22:57 2020 +0200| [ee14b82ee074650028305fd1402f79037bf79bc9] | committer: Michael Niedermayer

avcodec/mpeg4videodec: Fix 2 integer overflows in get_amv()

Fixes: signed integer overflow: -144876608 * 16 cannot be represented in type 'int'
Fixes: 22782/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPEG4_fuzzer-6039584977977344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit e361785ee05cc75d3caacf2f254160b0336f5358)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ee14b82ee074650028305fd1402f79037bf79bc9
---

 libavcodec/mpeg4videodec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index fa6a4ed9c8..9b92423e86 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -610,7 +610,7 @@ static inline int get_amv(Mpeg4DecContext *ctx, int n)
             dy -= 1 << (shift + a + 1);
         else
             dx -= 1 << (shift + a + 1);
-        mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16 + dy * s->mb_y * 16;
+        mb_v = s->sprite_offset[0][n] + dx * s->mb_x * 16U + dy * s->mb_y * 16U;
 
         sum = 0;
         for (y = 0; y < 16; y++) {



More information about the ffmpeg-cvslog mailing list