avcodec/takdec: Fix runtime error: signed integer overflow: 2146548196 +...

avcodec/takdec: Fix runtime error: signed integer overflow: 2146548196 + 2156738 cannot be represented in type 'int' Fixes: 1743/clusterfuzz-testcase-minimized-4994834022531072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/takdec: Fix runtime error: signed integer overflow: 2146548196 +...
avcodec/takdec: Fix runtime error: signed integer overflow: 2146548196 + 2156738 cannot be represented in type 'int' Fixes: 1743/clusterfuzz-testcase-minimized-4994834022531072 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
f95f9f97 · Michael Niedermayer · 0ce7cf0c · f95f9f97
Commit f95f9f97 authored May 22, 2017 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 10 deletions

takdec.c libavcodec/takdec.c +10 -10

No files found.
--- a/libavcodec/takdec.c
+++ b/libavcodec/takdec.c
@@ -203,7 +203,7 @@ static void decode_lpc(int32_t *coeffs, int mode, int length)
        return;
    if (mode == 1) {
-        int a1 = *coeffs++;
+        unsigned a1 = *coeffs++;
        for (i = 0; i < length - 1 >> 1; i++) {
            *coeffs   += a1;
            coeffs[1] += *coeffs;
@@ -213,14 +213,14 @@ static void decode_lpc(int32_t *coeffs, int mode, int length)
        if (length - 1 & 1)
            *coeffs += a1;
    } else if (mode == 2) {
-        int a1    = coeffs[1];
+        unsigned a1    = coeffs[1];
-        int a2    = a1 + *coeffs;
+        unsigned a2    = a1 + *coeffs;
        coeffs[1] = a2;
        if (length > 2) {
            coeffs += 2;
            for (i = 0; i < length - 2 >> 1; i++) {
-                int a3    = *coeffs + a1;
+                unsigned a3    = *coeffs + a1;
-                int a4    = a3 + a2;
+                unsigned a4    = a3 + a2;
                *coeffs   = a4;
                a1        = coeffs[1] + a3;
                a2        = a1 + a4;
@@ -231,13 +231,13 @@ static void decode_lpc(int32_t *coeffs, int mode, int length)
                *coeffs += a1 + a2;
        }
    } else if (mode == 3) {
-        int a1    = coeffs[1];
+        unsigned a1    = coeffs[1];
-        int a2    = a1 + *coeffs;
+        unsigned a2    = a1 + *coeffs;
        coeffs[1] = a2;
        if (length > 2) {
-            int a3  = coeffs[2];
+            unsigned a3  = coeffs[2];
-            int a4  = a3 + a1;
+            unsigned a4  = a3 + a1;
-            int a5  = a4 + a2;
+            unsigned a5  = a4 + a2;
            coeffs[2] = a5;
            coeffs += 3;
            for (i = 0; i < length - 3; i++) {