opus_silk: Fix arithmetic overflow (per RFC8251)

author Andrew D'Addesio <modchipv12@gmail.com>

Sat, 2 Dec 2017 17:36:25 +0000 (11:36 -0600)

committer Rostislav Pehlivanov <atomnuker@gmail.com>

Mon, 4 Dec 2017 07:28:45 +0000 (07:28 +0000)
author Andrew D'Addesio <modchipv12@gmail.com>
Sat, 2 Dec 2017 17:36:25 +0000 (11:36 -0600)
committer Rostislav Pehlivanov <atomnuker@gmail.com>
Mon, 4 Dec 2017 07:28:45 +0000 (07:28 +0000)
diff --git a/libavcodec/opus_silk.c b/libavcodec/opus_silk.c

index 3c9c849c21de94176c647b99874573691e3e50bd..344333cc180f05d7833b9ee48fe90091bad1b39c 100644 (file)
--- a/libavcodec/opus_silk.c
+++ b/libavcodec/opus_silk.c
@@ -185,8 +185,15 @@ static inline int silk_is_lpc_stable(const int16_t lpc[16], int order)
          row = lpc32[k & 1];
  
          for (j = 0; j < k; j++) {
-            int x = prevrow[j] - ROUND_MULL(prevrow[k - j - 1], rc, 31);
-            row[j] = ROUND_MULL(x, gain, fbits);
+            int x = av_sat_sub32(prevrow[j], ROUND_MULL(prevrow[k - j - 1], rc, 31));
+            int64_t tmp = ROUND_MULL(x, gain, fbits);
+
+            /* per RFC 8251 section 6, if this calculation overflows, the filter
+               is considered unstable. */
+            if (tmp < INT32_MIN || tmp > INT32_MAX)
+                return 0;
+
+            row[j] = (int32_t)tmp;
          }
      }
  }
author	Andrew D'Addesio <modchipv12@gmail.com>
	Sat, 2 Dec 2017 17:36:25 +0000 (11:36 -0600)
committer	Rostislav Pehlivanov <atomnuker@gmail.com>
	Mon, 4 Dec 2017 07:28:45 +0000 (07:28 +0000)