avcodec/dpcm: Fix integer overflow in AV_CODEC_ID_GREMLIN_DPCM

Fixes: signed integer overflow: -2147479324 + -32568 cannot be represented in type 'int'
Fixes: 20103/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GREMLIN_DPCM_fuzzer-5667667579240448
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c
index 7d3934ee35f3de0f68ba037787fe169f843d6292..5958081b66abec63489b83ee56c30bc8e951fabe 100644 (file)
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -367,7 +367,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
         while (output_samples < samples_end) {
             uint8_t n = bytestream2_get_byteu(&gb);
 
-            *output_samples++ = s->sample[idx] += s->array[n];
+            *output_samples++ = s->sample[idx] += (unsigned)s->array[n];
             idx ^= 1;
         }
         }