[FFmpeg-devel] [PATCH 4/5] avcodec/wmalosslessdec: Fix several integer issues
Michael Niedermayer
michael at niedermayer.cc
Mon Nov 18 18:30:13 EET 2019
Fixes: shift exponent -1 is negative (and others)
Fixes: 18852/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WMALOSSLESS_fuzzer-5660855295541248
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavcodec/wmalosslessdec.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/libavcodec/wmalosslessdec.c b/libavcodec/wmalosslessdec.c
index 45740a090b..c8c941c31a 100644
--- a/libavcodec/wmalosslessdec.c
+++ b/libavcodec/wmalosslessdec.c
@@ -678,7 +678,7 @@ static void mclms_predict(WmallDecodeCtx *s, int icoef, int *pred)
for (i = 0; i < ich; i++)
pred[ich] += (uint32_t)s->channel_residues[i][icoef] *
s->mclms_coeffs_cur[i + num_channels * ich];
- pred[ich] += 1 << s->mclms_scaling - 1;
+ pred[ich] += (1 << s->mclms_scaling) >> 1;
pred[ich] >>= s->mclms_scaling;
s->channel_residues[ich][icoef] += pred[ich];
}
@@ -811,19 +811,19 @@ static void revert_acfilter(WmallDecodeCtx *s, int tile_size)
pred = 0;
for (j = 0; j < order; j++) {
if (i <= j)
- pred += filter_coeffs[j] * prevvalues[j - i];
+ pred += (uint32_t)filter_coeffs[j] * prevvalues[j - i];
else
- pred += s->channel_residues[ich][i - j - 1] * filter_coeffs[j];
+ pred += (uint32_t)s->channel_residues[ich][i - j - 1] * filter_coeffs[j];
}
pred >>= scaling;
- s->channel_residues[ich][i] += pred;
+ s->channel_residues[ich][i] += (unsigned)pred;
}
for (i = order; i < tile_size; i++) {
pred = 0;
for (j = 0; j < order; j++)
pred += (uint32_t)s->channel_residues[ich][i - j - 1] * filter_coeffs[j];
pred >>= scaling;
- s->channel_residues[ich][i] += pred;
+ s->channel_residues[ich][i] += (unsigned)pred;
}
for (j = 0; j < order; j++)
prevvalues[j] = s->channel_residues[ich][tile_size - j - 1];
--
2.23.0
More information about the ffmpeg-devel
mailing list