From 58e9c7f4a2fdce4bc5531a618c142f27117c5145 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 14 Mar 2017 01:17:53 +0100 Subject: [PATCH] avcodec/wavpack: Fix multiple integer overflows Fixes: 839/clusterfuzz-testcase-4871084446842880 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/wavpack.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c index bc94b27c040..3d0b01f257c 100644 --- a/libavcodec/wavpack.c +++ b/libavcodec/wavpack.c @@ -268,7 +268,7 @@ error: } static inline int wv_get_value_integer(WavpackFrameContext *s, uint32_t *crc, - int S) + unsigned S) { unsigned bit; @@ -415,11 +415,11 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, if (t > 0) { if (t > 8) { if (t & 1) { - A = 2 * s->decorr[i].samplesA[0] - s->decorr[i].samplesA[1]; - B = 2 * s->decorr[i].samplesB[0] - s->decorr[i].samplesB[1]; + A = 2U * s->decorr[i].samplesA[0] - s->decorr[i].samplesA[1]; + B = 2U * s->decorr[i].samplesB[0] - s->decorr[i].samplesB[1]; } else { - A = (3 * s->decorr[i].samplesA[0] - s->decorr[i].samplesA[1]) >> 1; - B = (3 * s->decorr[i].samplesB[0] - s->decorr[i].samplesB[1]) >> 1; + A = (int)(3U * s->decorr[i].samplesA[0] - s->decorr[i].samplesA[1]) >> 1; + B = (int)(3U * s->decorr[i].samplesB[0] - s->decorr[i].samplesB[1]) >> 1; } s->decorr[i].samplesA[1] = s->decorr[i].samplesA[0]; s->decorr[i].samplesB[1] = s->decorr[i].samplesB[0]; @@ -488,7 +488,7 @@ static inline int wv_unpack_stereo(WavpackFrameContext *s, GetBitContext *gb, pos = (pos + 1) & 7; if (s->joint) - L += (R -= (L >> 1)); + L += (unsigned)(R -= (unsigned)(L >> 1)); crc = (crc * 3 + L) * 3 + R; if (type == AV_SAMPLE_FMT_FLTP) { -- 2.39.5