[FFmpeg-devel] [PATCH 3/4] avutil/tx_template: Fix some signed integer overflows in DECL_FFT5()

[Michael Niedermayer]

Fixes: signed integer overflow: -1364715454 + -1468954671 cannot be represented in type 'int'
Fixes: 62093/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_FIXED_fuzzer-5538774254485504

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavutil/tx_template.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/libavutil/tx_template.c b/libavutil/tx_template.c
index 6e3b3dad338..8dc3d2519c1 100644
--- a/libavutil/tx_template.c
+++ b/libavutil/tx_template.c
@@ -222,8 +222,8 @@ static av_always_inline void NAME(TXComplex *out, TXComplex *in,    \
     BF(t[3].im, t[2].re, in[2].re, in[3].re);                       \
     BF(t[3].re, t[2].im, in[2].im, in[3].im);                       \
                                                                     \
-    out[D0*stride].re = dc.re + t[0].re + t[2].re;                  \
-    out[D0*stride].im = dc.im + t[0].im + t[2].im;                  \
+    out[D0*stride].re = dc.re + (TXUSample)t[0].re + t[2].re;        \
+    out[D0*stride].im = dc.im + (TXUSample)t[0].im + t[2].im;        \
                                                                     \
     SMUL(t[4].re, t[0].re, tab[0], tab[2], t[2].re, t[0].re);       \
     SMUL(t[4].im, t[0].im, tab[0], tab[2], t[2].im, t[0].im);       \
@@ -235,14 +235,14 @@ static av_always_inline void NAME(TXComplex *out, TXComplex *in,    \
     BF(z0[2].re, z0[1].re, t[4].re, t[5].re);                       \
     BF(z0[2].im, z0[1].im, t[4].im, t[5].im);                       \
                                                                     \
-    out[D1*stride].re = dc.re + z0[3].re;                           \
-    out[D1*stride].im = dc.im + z0[0].im;                           \
-    out[D2*stride].re = dc.re + z0[2].re;                           \
-    out[D2*stride].im = dc.im + z0[1].im;                           \
-    out[D3*stride].re = dc.re + z0[1].re;                           \
-    out[D3*stride].im = dc.im + z0[2].im;                           \
-    out[D4*stride].re = dc.re + z0[0].re;                           \
-    out[D4*stride].im = dc.im + z0[3].im;                           \
+    out[D1*stride].re = dc.re + (TXUSample)z0[3].re;                 \
+    out[D1*stride].im = dc.im + (TXUSample)z0[0].im;                 \
+    out[D2*stride].re = dc.re + (TXUSample)z0[2].re;                 \
+    out[D2*stride].im = dc.im + (TXUSample)z0[1].im;                 \
+    out[D3*stride].re = dc.re + (TXUSample)z0[1].re;                 \
+    out[D3*stride].im = dc.im + (TXUSample)z0[2].im;                 \
+    out[D4*stride].re = dc.re + (TXUSample)z0[0].re;                 \
+    out[D4*stride].im = dc.im + (TXUSample)z0[3].im;                 \
 }
 
 DECL_FFT5(fft5,     0,  1,  2,  3,  4)
-- 
2.17.1