[FFmpeg-cvslog] avcodec/tta: Check 24bit scaling for overflow

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sun Sep 11 00:11:20 2022 +0200| [3993345f915bccceee315f44d412445346990e14] | committer: Michael Niedermayer

avcodec/tta: Check 24bit scaling for overflow

Fixes: signed integer overflow: -8427924 * 256 cannot be represented in type 'int'
Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_TTA_fuzzer-5409428670644224

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3993345f915bccceee315f44d412445346990e14
---

 libavcodec/tta.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/libavcodec/tta.c b/libavcodec/tta.c
index 6fb8d7a74f..d66e25af05 100644
--- a/libavcodec/tta.c
+++ b/libavcodec/tta.c
@@ -377,8 +377,15 @@ static int tta_decode_frame(AVCodecContext *avctx, AVFrame *frame,
     case 3: {
         // shift samples for 24-bit sample format
         int32_t *samples = (int32_t *)frame->data[0];
-        for (i = 0; i < framelen * s->channels; i++)
-            *samples++ *= 256;
+        int overflow = 0;
+
+        for (i = 0; i < framelen * s->channels; i++) {
+            int scaled = *samples * 256U;
+            overflow += (scaled >> 8 != *samples);
+            *samples++ = scaled;
+        }
+        if (overflow)
+            av_log(avctx, AV_LOG_WARNING, "%d overflows occurred on 24bit upscale\n", overflow);
         // reset decode buffer
         s->decode_buffer = NULL;
         break;