[FFmpeg-devel] [PATCH] avutil/lfg: Correct index increment type to avoid undefined behavior

Sun Oct 20 13:09:11 EEST 2019

Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 18333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COMFORTNOISE_fuzzer-5668481831272448

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavutil/lfg.h | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/libavutil/lfg.h b/libavutil/lfg.h
index 03f779ad8a..94b02909ec 100644
--- a/libavutil/lfg.h
+++ b/libavutil/lfg.h
@@ -45,8 +45,9 @@ int av_lfg_init_from_data(AVLFG *c, const uint8_t *data, unsigned int length);
  * it may be good enough and faster for your specific use case.
  */
 static inline unsigned int av_lfg_get(AVLFG *c){
-    c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63];
-    return c->state[c->index++ & 63];
+    unsigned a = c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63];
+    c->index += 1U;
+    return a;
 }
 
 /**
@@ -57,7 +58,9 @@ static inline unsigned int av_lfg_get(AVLFG *c){
 static inline unsigned int av_mlfg_get(AVLFG *c){
     unsigned int a= c->state[(c->index-55) & 63];
     unsigned int b= c->state[(c->index-24) & 63];
-    return c->state[c->index++ & 63] = 2*a*b+a+b;
+    a = c->state[c->index & 63] = 2*a*b+a+b;
+    c->index += 1U;
+    return a;
 }
 
 /**
-- 
2.23.0

