[FFmpeg-cvslog] swscale/output: fix integer overflow in yuv2rgba64_full_1_c_template()

Thu May 15 05:40:59 EEST 2025

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sun May 11 23:25:07 2025 +0200| [23592f942db93776dab65a5e92400bb2f037390e] | committer: Michael Niedermayer

swscale/output: fix integer overflow in yuv2rgba64_full_1_c_template()

Fixes: signed integer overflow: -293650 * 16525 cannot be represented in type 'int'
Fixes: 408304111/clusterfuzz-testcase-minimized-ffmpeg_SWS_fuzzer-4762210299871232

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=23592f942db93776dab65a5e92400bb2f037390e
---

 libswscale/output.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libswscale/output.c b/libswscale/output.c
index 2a6a20f2e6..c37649e7ce 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -1435,8 +1435,8 @@ yuv2rgba64_full_1_c_template(SwsInternal *c, const int32_t *buf0,
     if (uvalpha == 0) {
         for (i = 0; i < dstW; i++) {
             SUINT Y  = (buf0[i]) >> 2;
-            int U  = (ubuf0[i] - (128 << 11)) >> 2;
-            int V  = (vbuf0[i] - (128 << 11)) >> 2;
+            SUINT U  = (ubuf0[i] - (128 << 11)) >> 2;
+            SUINT V  = (vbuf0[i] - (128 << 11)) >> 2;
             int R, G, B;
 
             Y -= c->yuv2rgb_y_offset;
@@ -1471,8 +1471,8 @@ yuv2rgba64_full_1_c_template(SwsInternal *c, const int32_t *buf0,
 
         for (i = 0; i < dstW; i++) {
             SUINT Y  = (buf0[i]    ) >> 2;
-            int U = (ubuf0[i] * uvalpha1 + ubuf1[i] * uvalpha - (128 << 23)) >> 14;
-            int V = (vbuf0[i] * uvalpha1 + vbuf1[i] * uvalpha - (128 << 23)) >> 14;
+            SUINT U = (ubuf0[i] * uvalpha1 + ubuf1[i] * uvalpha - (128 << 23)) >> 14;
+            SUINT V = (vbuf0[i] * uvalpha1 + vbuf1[i] * uvalpha - (128 << 23)) >> 14;
             int R, G, B;
 
             Y -= c->yuv2rgb_y_offset;

