Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/FFmpeg/FFmpeg.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/libavcodec/mpeg4videodec.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2017-06-20 14:52:06 +0300
committerMichael Niedermayer <michael@niedermayer.cc>2017-06-22 04:08:35 +0300
commitb66e30ca7658b99777765843be344ef377802d1d (patch)
tree3d7cfef5b1f485c3822650c64d62dfd8ce6f8ac3 /libavcodec/mpeg4videodec.c
parent4afd24805954502d771e39107df245620c7e84af (diff)
avcodec/mpeg4videodec: Fix overflow in virtual_ref computation
Fixes: runtime error: signed integer overflow: 262144 * -16120 cannot be represented in type 'int' Fixes: 2292/clusterfuzz-testcase-minimized-6156080415506432 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 5443c4bdf4828ac5b7b19cf54feb496c2da40079) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/mpeg4videodec.c')
-rw-r--r--libavcodec/mpeg4videodec.c16
1 files changed, 8 insertions, 8 deletions
diff --git a/libavcodec/mpeg4videodec.c b/libavcodec/mpeg4videodec.c
index a9aa6d67d0..9e85dfac74 100644
--- a/libavcodec/mpeg4videodec.c
+++ b/libavcodec/mpeg4videodec.c
@@ -242,18 +242,18 @@ static int mpeg4_decode_sprite_trajectory(Mpeg4DecContext *ctx, GetBitContext *g
* from w&h based to w2&h2 based which are of the 2^x form. */
virtual_ref[0][0] = 16 * (vop_ref[0][0] + w2) +
ROUNDED_DIV(((w - w2) *
- (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) +
- w2 * (r * sprite_ref[1][0] - 16 * vop_ref[1][0])), w);
+ (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) +
+ w2 * (r * sprite_ref[1][0] - 16LL * vop_ref[1][0])), w);
virtual_ref[0][1] = 16 * vop_ref[0][1] +
ROUNDED_DIV(((w - w2) *
- (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) +
- w2 * (r * sprite_ref[1][1] - 16 * vop_ref[1][1])), w);
+ (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) +
+ w2 * (r * sprite_ref[1][1] - 16LL * vop_ref[1][1])), w);
virtual_ref[1][0] = 16 * vop_ref[0][0] +
- ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16 * vop_ref[0][0]) +
- h2 * (r * sprite_ref[2][0] - 16 * vop_ref[2][0])), h);
+ ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][0] - 16LL * vop_ref[0][0]) +
+ h2 * (r * sprite_ref[2][0] - 16LL * vop_ref[2][0])), h);
virtual_ref[1][1] = 16 * (vop_ref[0][1] + h2) +
- ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16 * vop_ref[0][1]) +
- h2 * (r * sprite_ref[2][1] - 16 * vop_ref[2][1])), h);
+ ROUNDED_DIV(((h - h2) * (r * sprite_ref[0][1] - 16LL * vop_ref[0][1]) +
+ h2 * (r * sprite_ref[2][1] - 16LL * vop_ref[2][1])), h);
switch (ctx->num_sprite_warping_points) {
case 0:
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-09 04:15:14 +0300