[FFmpeg-devel] [flac] Fix integer-overflow in flac_lpc_33_c

Dale Curtis dalecurtis at chromium.org
Wed Jul 30 19:36:51 EEST 2025 

On Wed, Jul 30, 2025 at 3:01 AM Michael Niedermayer <michael at niedermayer.cc>
wrote:

> Hi Dale
>
> On Tue, Jul 29, 2025 at 03:07:38PM -0700, Dale Curtis wrote:
> > This fix copies a couple of casts from surrounding functions.
> > See https://crbug.com/432528781 for stack trace details.
> >
> > Signed-off-by: Dale Curtis <dalecurtis at chromium.org>
>
> >  flacdsp.c |    2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 187b2fdeaecb08d3683b90875f4d7c0e74a38da1  flac_fix_v1.patch
> > From 0bf245bf8a031d12aec77e68dbc627247255eeb0 Mon Sep 17 00:00:00 2001
> > From: Dale Curtis <dalecurtis at chromium.org>
> > Date: Tue, 29 Jul 2025 22:05:19 +0000
> > Subject: [PATCH] [flac] Fix integer-overflow in flac_lpc_33_c
> >
> > This fix copies a couple of casts from surrounding functions.
>
> > See https://crbug.com/432528781 for stack trace details.
>
> You (email=michael at niedermayer.cc) are not authorized to access this page!
>

The bug is public and I can open it in an incognito window, so I'm not sure
what's going on here. Are you referring to the Clusterfuzz page itself? I
can add more info to the bug if it's helpful, but can't control ClusterFuzz
access unfortunately.


>
>
> [...]
>
> > -        decoded[j] = residual[i] + (sum >> qlevel);
> > +        decoded[j] = (uint64_t)residual[i] + (unsigned)(sum >> qlevel);
>
> This does not give the same result for cases that do not overflow
>
> I would guess more in the direction of:
>
>         decoded[j] = (int64_t)residual[i] + (uint64_t)(sum >> qlevel);
>

Happy to make that change, but are one of the following casts also
incorrect then?
https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/flacdsp.c#L111
https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/flacdsp.c#L69


>
> thx
>
> [...]
>
> --
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
>
> During times of universal deceit, telling the truth becomes a
> revolutionary act. -- George Orwell
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
>

More information about the ffmpeg-devel mailing list