avcodec/snowdec: Fix runtime error: signed integer overflow: 1404 * 8388608 cannot...

[ffmpeg] / libavcodec / snowdec.c

diff --git a/libavcodec/snowdec.c b/libavcodec/snowdec.c
index 8c35e3e0845c48c5c57ed73bd78bc46b9825c2e9..6cf15c5ae6f16e2037b3661121ce3106e1cec5c5 100644 (file)
--- a/libavcodec/snowdec.c
+++ b/libavcodec/snowdec.c
@@ -228,9 +228,9 @@ static void dequantize_slice_buffered(SnowContext *s, slice_buffer * sb, SubBand
         for(x=0; x<w; x++){
             int i= line[x];
             if(i<0){
-                line[x]= -((-i*qmul + qadd)>>(QEXPSHIFT)); //FIXME try different bias
+                line[x]= -((-i*(unsigned)qmul + qadd)>>(QEXPSHIFT)); //FIXME try different bias
             }else if(i>0){
-                line[x]=  (( i*qmul + qadd)>>(QEXPSHIFT));
+                line[x]=  (( i*(unsigned)qmul + qadd)>>(QEXPSHIFT));
             }
         }
     }
@@ -384,6 +384,10 @@ static int decode_header(SnowContext *s){
         av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_count %d too large for size\n", s->spatial_decomposition_count);
         return AVERROR_INVALIDDATA;
     }
+    if (s->avctx->width > 65536-4) {
+        av_log(s->avctx, AV_LOG_ERROR, "Width %d is too large\n", s->avctx->width);
+        return AVERROR_INVALIDDATA;
+    }
 
 
     s->qlog           += get_symbol(&s->c, s->header_state, 1);