[FFmpeg-devel] [PATCH 4/4] avcodec/dca: Fix multiple runtime error: signed integer overflow

Michael Niedermayer michael at niedermayer.cc
Sun Feb 26 21:28:02 EET 2017


Fixes: 680/clusterfuzz-testcase-5416627266912256
Fixes: 681/clusterfuzz-testcase-5013323462475776

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavcodec/dca_xll.c | 4 ++--
 libavcodec/dcadsp.c  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/dca_xll.c b/libavcodec/dca_xll.c
index 3dfde6b68d..6cebda35e4 100644
--- a/libavcodec/dca_xll.c
+++ b/libavcodec/dca_xll.c
@@ -652,7 +652,7 @@ static void chs_filter_band_data(DCAXllDecoder *s, DCAXllChSet *c, int band)
                 int64_t err = 0;
                 for (k = 0; k < order; k++)
                     err += (int64_t)buf[j + k] * coeff[order - k - 1];
-                buf[j + k] -= clip23(norm16(err));
+                buf[j + k] -= (SUINT)clip23(norm16(err));
             }
         } else {
             // Inverse fixed coefficient prediction
@@ -1308,7 +1308,7 @@ static int combine_residual_frame(DCAXllDecoder *s, DCAXllChSet *c)
             // Undo embedded core downmix pre-scaling
             int scale_inv = o->dmix_scale_inv[c->hier_ofs + ch];
             for (n = 0; n < nsamples; n++)
-                dst[n] += clip23((mul16(src[n], scale_inv) + round) >> shift);
+                dst[n] += (SUINT)clip23((mul16(src[n], scale_inv) + round) >> shift);
         } else {
             // No downmix scaling
             for (n = 0; n < nsamples; n++)
diff --git a/libavcodec/dcadsp.c b/libavcodec/dcadsp.c
index 3d637f63ae..1503d00886 100644
--- a/libavcodec/dcadsp.c
+++ b/libavcodec/dcadsp.c
@@ -300,7 +300,7 @@ static void decor_c(int32_t *dst, const int32_t *src, int coeff, ptrdiff_t len)
     int i;
 
     for (i = 0; i < len; i++)
-        dst[i] += (int)(src[i] * (SUINT)coeff + (1 << 2)) >> 3;
+        dst[i] += (SUINT)((int)(src[i] * (SUINT)coeff + (1 << 2)) >> 3);
 }
 
 static void dmix_sub_xch_c(int32_t *dst1, int32_t *dst2,
-- 
2.11.0



More information about the ffmpeg-devel mailing list