From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id E89AF4523E for ; Sun, 16 Apr 2023 16:48:43 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 97C7068B1AD; Sun, 16 Apr 2023 19:48:40 +0300 (EEST) Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B55336802DE for ; Sun, 16 Apr 2023 19:48:33 +0300 (EEST) Received: (Authenticated sender: michael@niedermayer.cc) by mail.gandi.net (Postfix) with ESMTPSA id 6EEEC1C0002 for ; Sun, 16 Apr 2023 16:48:32 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 16 Apr 2023 18:48:20 +0200 Message-Id: <20230416164830.15664-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 Subject: [FFmpeg-devel] [PATCH 01/11] avcodec/adpcm: Fix integer overflow in intermediate in ADPCM_XMD X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Fixes: runtime error: signed integer overflow: 2140143616 + 254665816 cannot be represented in type 'int' Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XMD_fuzzer-6690181676924928 As a sideeffect this simplifies the equation, the high bits are different after this but only the low 16bits are stored and used in later steps. The change is untested as there are no fate testcases, no sample files on the server, no links on the mailing list and no reports on trac referencing this format that i could find. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 451696932d1..d8f334cf5a0 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1579,11 +1579,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, AVFrame *frame, nibble[0] = sign_extend(byte & 15, 4); nibble[1] = sign_extend(byte >> 4, 4); - out[2+n*2] = (nibble[0]*(scale<<14) + (history[0]*29336) - (history[1]*13136)) >> 14; + out[2+n*2 ] = nibble[0]*scale + ((history[0]*3667 - history[1]*1642) >> 11); history[1] = history[0]; history[0] = out[2+n*2]; - out[2+n*2+1] = (nibble[1]*(scale<<14) + (history[0]*29336) - (history[1]*13136)) >> 14; + out[2+n*2+1] = nibble[1]*scale + ((history[0]*3667 - history[1]*1642) >> 11); history[1] = history[0]; history[0] = out[2+n*2+1]; } -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".