[FFmpeg-cvslog] avcodec/mv30: Fix integer overflows in idct2_1d()

Michael Niedermayer git at videolan.org
Thu Jul 9 23:19:36 EEST 2020


ffmpeg | branch: release/4.3 | Michael Niedermayer <michael at niedermayer.cc> | Thu Jun 18 11:52:47 2020 +0200| [531ddbacb57c2d58f5342d6fde8f056f2790ca4a] | committer: Michael Niedermayer

avcodec/mv30: Fix integer overflows in idct2_1d()

Fixes: signed integer overflow: 6500736 * 473 cannot be represented in type 'int'
Fixes: 23259/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-5179394271477760

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 3b8d5bcc3189c6c46279889f1176c0caba4466e4)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=531ddbacb57c2d58f5342d6fde8f056f2790ca4a
---

 libavcodec/mv30.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/mv30.c b/libavcodec/mv30.c
index 76b9170eaf..c83ba7ffbd 100644
--- a/libavcodec/mv30.c
+++ b/libavcodec/mv30.c
@@ -200,10 +200,10 @@ static inline void idct2_1d(int *blk, int step)
 {
     const int t0 = blk[0 * step];
     const int t1 = blk[1 * step];
-    const int t2 = t1 * 473 >> 8;
+    const int t2 = (int)(t1 * 473U) >> 8;
     const int t3 = t2 - t1;
-    const int t4 = (t1 * 362 >> 8) - t3;
-    const int t5 = ((t1 * 277 >> 8) - t2) + t4;
+    const int t4 =  ((int)(t1 * 362U) >> 8) - t3;
+    const int t5 = (((int)(t1 * 277U) >> 8) - t2) + t4;
 
     blk[0 * step] = t1 + t0;
     blk[1 * step] = t0 + t3;



More information about the ffmpeg-cvslog mailing list