[FFmpeg-devel] [PATCH 3/4] avcodec/h264idct_template: Fix multiple runtime error: signed integer overflow
Michael Niedermayer
michael at niedermayer.cc
Tue Feb 28 01:34:54 EET 2017
On Mon, Feb 27, 2017 at 07:15:57AM +0800, Steven Liu wrote:
> 2017-02-27 3:28 GMT+08:00 Michael Niedermayer <michael at niedermayer.cc>:
>
> > Fixes: 677/clusterfuzz-testcase-6635120628858880
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-
> > fuzz/tree/master/targets/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/h264idct_template.c | 26 +++++++++++++-------------
> > 1 file changed, 13 insertions(+), 13 deletions(-)
> >
> > diff --git a/libavcodec/h264idct_template.c b/libavcodec/h264idct_
> > template.c
> > index c00900b658..9c5a43ce4f 100644
> > --- a/libavcodec/h264idct_template.c
> > +++ b/libavcodec/h264idct_template.c
> > @@ -40,10 +40,10 @@ void FUNCC(ff_h264_idct_add)(uint8_t *_dst, int16_t
> > *_block, int stride)
> > block[0] += 1 << 5;
> >
> > for(i=0; i<4; i++){
> > - const int z0= block[i + 4*0] + block[i + 4*2];
> > - const int z1= block[i + 4*0] - block[i + 4*2];
> > - const int z2= (block[i + 4*1]>>1) - block[i + 4*3];
> > - const int z3= block[i + 4*1] + (block[i + 4*3]>>1);
> > + const SUINT z0= block[i + 4*0] + block[i + 4*2];
> > + const SUINT z1= block[i + 4*0] - block[i + 4*2];
> > + const SUINT z2= (block[i + 4*1]>>1) - block[i + 4*3];
> > + const SUINT z3= block[i + 4*1] + (block[i + 4*3]>>1);
> >
> > block[i + 4*0]= z0 + z3;
> > block[i + 4*1]= z1 + z2;
> > @@ -52,15 +52,15 @@ void FUNCC(ff_h264_idct_add)(uint8_t *_dst, int16_t
> > *_block, int stride)
> > }
> >
> > for(i=0; i<4; i++){
> > - const int z0= block[0 + 4*i] + block[2 + 4*i];
> > - const int z1= block[0 + 4*i] - block[2 + 4*i];
> > - const int z2= (block[1 + 4*i]>>1) - block[3 + 4*i];
> > - const int z3= block[1 + 4*i] + (block[3 + 4*i]>>1);
> > -
> > - dst[i + 0*stride]= av_clip_pixel(dst[i + 0*stride] + ((z0 + z3)
> > >> 6));
> > - dst[i + 1*stride]= av_clip_pixel(dst[i + 1*stride] + ((z1 + z2)
> > >> 6));
> > - dst[i + 2*stride]= av_clip_pixel(dst[i + 2*stride] + ((z1 - z2)
> > >> 6));
> > - dst[i + 3*stride]= av_clip_pixel(dst[i + 3*stride] + ((z0 - z3)
> > >> 6));
> > + const SUINT z0= block[0 + 4*i] + (SUINT)block[2 + 4*i];
> > + const SUINT z1= block[0 + 4*i] - (SUINT)block[2 + 4*i];
> > + const SUINT z2= (block[1 + 4*i]>>1) - (SUINT)block[3 + 4*i];
> > + const SUINT z3= block[1 + 4*i] + (SUINT)(block[3 + 4*i]>>1);
> > +
> > + dst[i + 0*stride]= av_clip_pixel(dst[i + 0*stride] + ((int)(z0 +
> > z3) >> 6));
> > + dst[i + 1*stride]= av_clip_pixel(dst[i + 1*stride] + ((int)(z1 +
> > z2) >> 6));
> > + dst[i + 2*stride]= av_clip_pixel(dst[i + 2*stride] + ((int)(z1 -
> > z2) >> 6));
> > + dst[i + 3*stride]= av_clip_pixel(dst[i + 3*stride] + ((int)(z0 -
> > z3) >> 6));
> > }
> >
> > memset(block, 0, 16 * sizeof(dctcoef));
> > --
> > 2.11.0
> >
> > _______________________________________________
> > ffmpeg-devel mailing list
> > ffmpeg-devel at ffmpeg.org
> > http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >
>
> lgtm
applied
also remaining patchset applied
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Those who are too smart to engage in politics are punished by being
governed by those who are dumber. -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170228/5c2378b0/attachment.sig>
More information about the ffmpeg-devel
mailing list