avcodec/rv34: Fix runtime error: signed integer overflow: 768 * 4126720 cannot...

avcodec/rv34: Fix runtime error: signed integer overflow: 768 * 4126720 cannot be represented in type 'int' Fixes: 1655/clusterfuzz-testcase-minimized-5587079276789760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/rv34: Fix runtime error: signed integer overflow: 768 * 4126720 cannot...
avcodec/rv34: Fix runtime error: signed integer overflow: 768 * 4126720 cannot be represented in type 'int' Fixes: 1655/clusterfuzz-testcase-minimized-5587079276789760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
4bd869eb · Michael Niedermayer · 53a50220 · 4bd869eb
Commit 4bd869eb authored May 17, 2017 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

rv34.c libavcodec/rv34.c +4 -1

No files found.
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -521,7 +521,7 @@ static int calc_add_mv(RV34DecContext *r, int dir, int val)
 {
    int mul = dir ? -r->mv_weight2 : r->mv_weight1;

-    return (val * mul + 0x2000) >> 14;
+    return (int)(val * (SUINT)mul + 0x2000) >> 14;
 }

 /**
@@ -1762,6 +1762,9 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
                r->mv_weight1 = r->mv_weight2 = r->weight1 = r->weight2 = 8192;
                r->scaled_weight = 0;
            }else{
+                if (FFMAX(dist0, dist1) > refdist)
+                    av_log(avctx, AV_LOG_TRACE, "distance overflow\n");
+
                r->mv_weight1 = (dist0 << 14) / refdist;
                r->mv_weight2 = (dist1 << 14) / refdist;
                if((r->mv_weight1|r->mv_weight2) & 511){