[FFmpeg-cvslog] avcodec/mv30: Fix integer overflows in idct2_1d()
Michael Niedermayer
git at videolan.org
Thu Jul 9 23:19:36 EEST 2020
ffmpeg | branch: release/4.3 | Michael Niedermayer <michael at niedermayer.cc> | Thu Jun 18 11:52:47 2020 +0200| [531ddbacb57c2d58f5342d6fde8f056f2790ca4a] | committer: Michael Niedermayer
avcodec/mv30: Fix integer overflows in idct2_1d()
Fixes: signed integer overflow: 6500736 * 473 cannot be represented in type 'int'
Fixes: 23259/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MV30_fuzzer-5179394271477760
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 3b8d5bcc3189c6c46279889f1176c0caba4466e4)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=531ddbacb57c2d58f5342d6fde8f056f2790ca4a
---
libavcodec/mv30.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libavcodec/mv30.c b/libavcodec/mv30.c
index 76b9170eaf..c83ba7ffbd 100644
--- a/libavcodec/mv30.c
+++ b/libavcodec/mv30.c
@@ -200,10 +200,10 @@ static inline void idct2_1d(int *blk, int step)
{
const int t0 = blk[0 * step];
const int t1 = blk[1 * step];
- const int t2 = t1 * 473 >> 8;
+ const int t2 = (int)(t1 * 473U) >> 8;
const int t3 = t2 - t1;
- const int t4 = (t1 * 362 >> 8) - t3;
- const int t5 = ((t1 * 277 >> 8) - t2) + t4;
+ const int t4 = ((int)(t1 * 362U) >> 8) - t3;
+ const int t5 = (((int)(t1 * 277U) >> 8) - t2) + t4;
blk[0 * step] = t1 + t0;
blk[1 * step] = t0 + t3;
More information about the ffmpeg-cvslog
mailing list