[FFmpeg-cvslog] avcodec/apedec: Fix integer overflow in filter_3800()
Michael Niedermayer
git at videolan.org
Sun Sep 25 01:08:31 EEST 2022
ffmpeg | branch: release/5.1 | Michael Niedermayer <michael at niedermayer.cc> | Sun Sep 11 00:30:42 2022 +0200| [c15b355eb5a653b150fc58a01bca49ecd4116bfd] | committer: Michael Niedermayer
avcodec/apedec: Fix integer overflow in filter_3800()
Fixes: signed integer overflow: -2147448926 + -198321 cannot be represented in type 'int'
Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-5739619273015296
Fixes: 48798/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APE_fuzzer-6744428485672960
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit f05247f6a4698c14f1cd523daa90188f50dcf6ad)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c15b355eb5a653b150fc58a01bca49ecd4116bfd
---
libavcodec/apedec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/apedec.c b/libavcodec/apedec.c
index a7c38bce1b..24877c5598 100644
--- a/libavcodec/apedec.c
+++ b/libavcodec/apedec.c
@@ -934,7 +934,7 @@ static av_always_inline int filter_3800(APEPredictor *p,
p->coeffsB[filter][0] += (((d3 >> 29) & 4) - 2) * sign;
p->coeffsB[filter][1] -= (((d4 >> 30) & 2) - 1) * sign;
- p->filterB[filter] = p->lastA[filter] + (predictionB >> shift);
+ p->filterB[filter] = p->lastA[filter] + (unsigned)(predictionB >> shift);
p->filterA[filter] = p->filterB[filter] + (unsigned)((int)(p->filterA[filter] * 31U) >> 5);
return p->filterA[filter];
More information about the ffmpeg-cvslog
mailing list