[FFmpeg-cvslog] avcodec/ralf: Fix integer overflow in decode_channel()

Michael Niedermayer git at videolan.org
Sat Sep 28 20:24:32 EEST 2019


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat Sep 14 14:26:49 2019 +0200| [fbb314b6f2c2b77608442966f28aac20343a1cae] | committer: Michael Niedermayer

avcodec/ralf: Fix integer overflow in decode_channel()

Fixes: signed integer overflow: -1094995519 * 64 cannot be represented in type 'int'
Fixes: 17030/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RALF_fuzzer-5640695838146560

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=fbb314b6f2c2b77608442966f28aac20343a1cae
---

 libavcodec/ralf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/ralf.c b/libavcodec/ralf.c
index 75c9371b95..006ab46414 100644
--- a/libavcodec/ralf.c
+++ b/libavcodec/ralf.c
@@ -300,8 +300,8 @@ static int decode_channel(RALFContext *ctx, GetBitContext *gb, int ch,
         t = get_vlc2(gb, code_vlc->table, code_vlc->bits, 2);
         code1 = t / range2;
         code2 = t % range2;
-        dst[i]     = extend_code(gb, code1, range, 0) * (1 << add_bits);
-        dst[i + 1] = extend_code(gb, code2, range, 0) * (1 << add_bits);
+        dst[i]     = extend_code(gb, code1, range, 0) * (1U << add_bits);
+        dst[i + 1] = extend_code(gb, code2, range, 0) * (1U << add_bits);
         if (add_bits) {
             dst[i]     |= get_bits(gb, add_bits);
             dst[i + 1] |= get_bits(gb, add_bits);



More information about the ffmpeg-cvslog mailing list