[FFmpeg-cvslog] avcodec/takdec: Fix runtime error: signed integer overflow: 2146548196 + 2156738 cannot be represented in type 'int'

Michael Niedermayer git at videolan.org
Mon May 22 23:41:38 EEST 2017 

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Mon May 22 22:19:23 2017 +0200| [f95f9f975598262d7acdf9f4611bd1e775203f7b] | committer: Michael Niedermayer

avcodec/takdec: Fix runtime error: signed integer overflow: 2146548196 + 2156738 cannot be represented in type 'int'

Fixes: 1743/clusterfuzz-testcase-minimized-4994834022531072

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f95f9f975598262d7acdf9f4611bd1e775203f7b
---

 libavcodec/takdec.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c
index 78e82a9d41..512bd5a4ac 100644
--- a/libavcodec/takdec.c
+++ b/libavcodec/takdec.c
@@ -203,7 +203,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length)
         return;
 
     if (mode == 1) {
-        int a1 = *coeffs++;
+        unsigned a1 = *coeffs++;
         for (i = 0; i < length - 1 >> 1; i++) {
             *coeffs   += a1;
             coeffs[1] += *coeffs;
@@ -213,14 +213,14 @@ static void decode_lpc(int32_t *coeffs, int mode, int length)
         if (length - 1 & 1)
             *coeffs += a1;
     } else if (mode == 2) {
-        int a1    = coeffs[1];
-        int a2    = a1 + *coeffs;
+        unsigned a1    = coeffs[1];
+        unsigned a2    = a1 + *coeffs;
         coeffs[1] = a2;
         if (length > 2) {
             coeffs += 2;
             for (i = 0; i < length - 2 >> 1; i++) {
-                int a3    = *coeffs + a1;
-                int a4    = a3 + a2;
+                unsigned a3    = *coeffs + a1;
+                unsigned a4    = a3 + a2;
                 *coeffs   = a4;
                 a1        = coeffs[1] + a3;
                 a2        = a1 + a4;
@@ -231,13 +231,13 @@ static void decode_lpc(int32_t *coeffs, int mode, int length)
                 *coeffs += a1 + a2;
         }
     } else if (mode == 3) {
-        int a1    = coeffs[1];
-        int a2    = a1 + *coeffs;
+        unsigned a1    = coeffs[1];
+        unsigned a2    = a1 + *coeffs;
         coeffs[1] = a2;
         if (length > 2) {
-            int a3  = coeffs[2];
-            int a4  = a3 + a1;
-            int a5  = a4 + a2;
+            unsigned a3  = coeffs[2];
+            unsigned a4  = a3 + a1;
+            unsigned a5  = a4 + a2;
             coeffs[2] = a5;
             coeffs += 3;
             for (i = 0; i < length - 3; i++) {

More information about the ffmpeg-cvslog mailing list