[FFmpeg-devel] [PATCH 1/6] avcodec/aacps: Fix integer overflows in hybrid_synthesis()

Michael Niedermayer michael at niedermayer.cc
Sat Aug 24 21:18:24 EEST 2019


Fixes: signed integer overflow: -822667928 + -1399761199 cannot be represented in type 'int'
Fixes: 15756/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5645182051024896

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavcodec/aacps.c | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c
index d5dca64b0f..22df160fe7 100644
--- a/libavcodec/aacps.c
+++ b/libavcodec/aacps.c
@@ -414,33 +414,33 @@ static void hybrid_synthesis(PSDSPContext *dsp, INTFLOAT out[2][38][64],
             memset(out[0][n], 0, 5*sizeof(out[0][n][0]));
             memset(out[1][n], 0, 5*sizeof(out[1][n][0]));
             for (i = 0; i < 12; i++) {
-                out[0][n][0] += in[   i][n][0];
-                out[1][n][0] += in[   i][n][1];
+                out[0][n][0] += (UINTFLOAT)in[   i][n][0];
+                out[1][n][0] += (UINTFLOAT)in[   i][n][1];
             }
             for (i = 0; i < 8; i++) {
-                out[0][n][1] += in[12+i][n][0];
-                out[1][n][1] += in[12+i][n][1];
+                out[0][n][1] += (UINTFLOAT)in[12+i][n][0];
+                out[1][n][1] += (UINTFLOAT)in[12+i][n][1];
             }
             for (i = 0; i < 4; i++) {
-                out[0][n][2] += in[20+i][n][0];
-                out[1][n][2] += in[20+i][n][1];
-                out[0][n][3] += in[24+i][n][0];
-                out[1][n][3] += in[24+i][n][1];
-                out[0][n][4] += in[28+i][n][0];
-                out[1][n][4] += in[28+i][n][1];
+                out[0][n][2] += (UINTFLOAT)in[20+i][n][0];
+                out[1][n][2] += (UINTFLOAT)in[20+i][n][1];
+                out[0][n][3] += (UINTFLOAT)in[24+i][n][0];
+                out[1][n][3] += (UINTFLOAT)in[24+i][n][1];
+                out[0][n][4] += (UINTFLOAT)in[28+i][n][0];
+                out[1][n][4] += (UINTFLOAT)in[28+i][n][1];
             }
         }
         dsp->hybrid_synthesis_deint(out, in + 27, 5, len);
     } else {
         for (n = 0; n < len; n++) {
-            out[0][n][0] = in[0][n][0] + in[1][n][0] + in[2][n][0] +
-                           in[3][n][0] + in[4][n][0] + in[5][n][0];
-            out[1][n][0] = in[0][n][1] + in[1][n][1] + in[2][n][1] +
-                           in[3][n][1] + in[4][n][1] + in[5][n][1];
-            out[0][n][1] = in[6][n][0] + in[7][n][0];
-            out[1][n][1] = in[6][n][1] + in[7][n][1];
-            out[0][n][2] = in[8][n][0] + in[9][n][0];
-            out[1][n][2] = in[8][n][1] + in[9][n][1];
+            out[0][n][0] = (UINTFLOAT)in[0][n][0] + in[1][n][0] + in[2][n][0] +
+                           (UINTFLOAT)in[3][n][0] + in[4][n][0] + in[5][n][0];
+            out[1][n][0] = (UINTFLOAT)in[0][n][1] + in[1][n][1] + in[2][n][1] +
+                           (UINTFLOAT)in[3][n][1] + in[4][n][1] + in[5][n][1];
+            out[0][n][1] = (UINTFLOAT)in[6][n][0] + in[7][n][0];
+            out[1][n][1] = (UINTFLOAT)in[6][n][1] + in[7][n][1];
+            out[0][n][2] = (UINTFLOAT)in[8][n][0] + in[9][n][0];
+            out[1][n][2] = (UINTFLOAT)in[8][n][1] + in[9][n][1];
         }
         dsp->hybrid_synthesis_deint(out, in + 7, 3, len);
     }
-- 
2.23.0



More information about the ffmpeg-devel mailing list