[FFmpeg-cvslog] avcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer overflows

Michael Niedermayer git at videolan.org
Sat Jun 17 23:38:09 EEST 2017


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat Jun 17 15:06:21 2017 +0200| [c746f92a8e03d5a062359fba836eba4b3530687e] | committer: Michael Niedermayer

avcodec/jpeg2000dsp: Reorder operations in ict_int() to avoid 2 integer overflows

Fixes: runtime error: signed integer overflow: 58065 * 51981 cannot be represented in type 'int'
Fixes: 2271/clusterfuzz-testcase-minimized-5778297776504832

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c746f92a8e03d5a062359fba836eba4b3530687e
---

 libavcodec/jpeg2000dsp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/jpeg2000dsp.c b/libavcodec/jpeg2000dsp.c
index d183cbb87d..c746aed924 100644
--- a/libavcodec/jpeg2000dsp.c
+++ b/libavcodec/jpeg2000dsp.c
@@ -64,10 +64,10 @@ static void ict_int(void *_src0, void *_src1, void *_src2, int csize)
     int i;
 
     for (i = 0; i < csize; i++) {
-        i0 = *src0 + (((i_ict_params[0] * *src2) + (1 << 15)) >> 16);
+        i0 = *src0 + *src2 + (((26345 * *src2) + (1 << 15)) >> 16);
         i1 = *src0 - (((i_ict_params[1] * *src1) + (1 << 15)) >> 16)
                    - (((i_ict_params[2] * *src2) + (1 << 15)) >> 16);
-        i2 = *src0 + (((i_ict_params[3] * *src1) + (1 << 15)) >> 16);
+        i2 = *src0 + (2 * *src1) + (((-14942 * *src1) + (1 << 15)) >> 16);
         *src0++ = i0;
         *src1++ = i1;
         *src2++ = i2;



More information about the ffmpeg-cvslog mailing list