[FFmpeg-devel] [PATCH 1/6] avcodec/aacps: Fix integer overflows in hybrid_synthesis()
Michael Niedermayer
michael at niedermayer.cc
Sat Aug 24 21:18:24 EEST 2019
Fixes: signed integer overflow: -822667928 + -1399761199 cannot be represented in type 'int'
Fixes: 15756/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5645182051024896
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavcodec/aacps.c | 36 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 18 deletions(-)
diff --git a/libavcodec/aacps.c b/libavcodec/aacps.c
index d5dca64b0f..22df160fe7 100644
--- a/libavcodec/aacps.c
+++ b/libavcodec/aacps.c
@@ -414,33 +414,33 @@ static void hybrid_synthesis(PSDSPContext *dsp, INTFLOAT out[2][38][64],
memset(out[0][n], 0, 5*sizeof(out[0][n][0]));
memset(out[1][n], 0, 5*sizeof(out[1][n][0]));
for (i = 0; i < 12; i++) {
- out[0][n][0] += in[ i][n][0];
- out[1][n][0] += in[ i][n][1];
+ out[0][n][0] += (UINTFLOAT)in[ i][n][0];
+ out[1][n][0] += (UINTFLOAT)in[ i][n][1];
}
for (i = 0; i < 8; i++) {
- out[0][n][1] += in[12+i][n][0];
- out[1][n][1] += in[12+i][n][1];
+ out[0][n][1] += (UINTFLOAT)in[12+i][n][0];
+ out[1][n][1] += (UINTFLOAT)in[12+i][n][1];
}
for (i = 0; i < 4; i++) {
- out[0][n][2] += in[20+i][n][0];
- out[1][n][2] += in[20+i][n][1];
- out[0][n][3] += in[24+i][n][0];
- out[1][n][3] += in[24+i][n][1];
- out[0][n][4] += in[28+i][n][0];
- out[1][n][4] += in[28+i][n][1];
+ out[0][n][2] += (UINTFLOAT)in[20+i][n][0];
+ out[1][n][2] += (UINTFLOAT)in[20+i][n][1];
+ out[0][n][3] += (UINTFLOAT)in[24+i][n][0];
+ out[1][n][3] += (UINTFLOAT)in[24+i][n][1];
+ out[0][n][4] += (UINTFLOAT)in[28+i][n][0];
+ out[1][n][4] += (UINTFLOAT)in[28+i][n][1];
}
}
dsp->hybrid_synthesis_deint(out, in + 27, 5, len);
} else {
for (n = 0; n < len; n++) {
- out[0][n][0] = in[0][n][0] + in[1][n][0] + in[2][n][0] +
- in[3][n][0] + in[4][n][0] + in[5][n][0];
- out[1][n][0] = in[0][n][1] + in[1][n][1] + in[2][n][1] +
- in[3][n][1] + in[4][n][1] + in[5][n][1];
- out[0][n][1] = in[6][n][0] + in[7][n][0];
- out[1][n][1] = in[6][n][1] + in[7][n][1];
- out[0][n][2] = in[8][n][0] + in[9][n][0];
- out[1][n][2] = in[8][n][1] + in[9][n][1];
+ out[0][n][0] = (UINTFLOAT)in[0][n][0] + in[1][n][0] + in[2][n][0] +
+ (UINTFLOAT)in[3][n][0] + in[4][n][0] + in[5][n][0];
+ out[1][n][0] = (UINTFLOAT)in[0][n][1] + in[1][n][1] + in[2][n][1] +
+ (UINTFLOAT)in[3][n][1] + in[4][n][1] + in[5][n][1];
+ out[0][n][1] = (UINTFLOAT)in[6][n][0] + in[7][n][0];
+ out[1][n][1] = (UINTFLOAT)in[6][n][1] + in[7][n][1];
+ out[0][n][2] = (UINTFLOAT)in[8][n][0] + in[9][n][0];
+ out[1][n][2] = (UINTFLOAT)in[8][n][1] + in[9][n][1];
}
dsp->hybrid_synthesis_deint(out, in + 7, 3, len);
}
--
2.23.0
More information about the ffmpeg-devel
mailing list