har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/ffwavesynth: Fix integer overflow with pink_ts_cur/next

Browse Source 
Fixes: signed integer overflow: 6175076100092079360 - -5034989061050195840 cannot be represented in type 'long'
Fixes: 18614/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FFWAVESYNTH_fuzzer-5704508847423488

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2019-11-05 22:11:52 +01:00
parent 721624c2f6
commit d82ab96e76
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/ffwavesynth.c
View File

@ -217,8 +217,8 @@ static void wavesynth_seek(struct wavesynth_context *ws, int64_t ts)
*last = -1; *last = -1;
lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts); lcg_seek(&ws->dither_state, (uint32_t)ts - (uint32_t)ws->cur_ts);
if (ws->pink_need) { if (ws->pink_need) {
int64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1); uint64_t pink_ts_cur = (ws->cur_ts + PINK_UNIT - 1) & ~(PINK_UNIT - 1);
int64_t pink_ts_next = ts & ~(PINK_UNIT - 1); uint64_t pink_ts_next = ts & ~(PINK_UNIT - 1);
int pos = ts & (PINK_UNIT - 1); int pos = ts & (PINK_UNIT - 1);
lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2); lcg_seek(&ws->pink_state, (uint32_t)(pink_ts_next - pink_ts_cur) * 2);
if (pos) { if (pos) {