virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-08-10 06:10:52 +02:00
Code Issues Releases Activity

avcodec/h264idct_template: Fix multiple runtime error: signed integer overflow

Browse Source 
Fixes: 677/clusterfuzz-testcase-6635120628858880

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Reviewed-by: Steven Liu <lingjiujianke@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2017-02-26 20:28:01 +01:00
parent 26a7d6a301
commit 4ea7744859
1 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
libavcodec/h264idct_template.c
View File

@@ -40,10 +40,10 @@ void FUNCC(ff_h264_idct_add)(uint8_t *_dst, int16_t *_block, int stride)
block[0] += 1 << 5; block[0] += 1 << 5;
for(i=0; i<4; i++){ for(i=0; i<4; i++){
const int z0= block[i + 4*0] + block[i + 4*2]; const SUINT z0= block[i + 4*0] + block[i + 4*2];
const int z1= block[i + 4*0] - block[i + 4*2]; const SUINT z1= block[i + 4*0] - block[i + 4*2];
const int z2= (block[i + 4*1]>>1) - block[i + 4*3]; const SUINT z2= (block[i + 4*1]>>1) - block[i + 4*3];
const int z3= block[i + 4*1] + (block[i + 4*3]>>1); const SUINT z3= block[i + 4*1] + (block[i + 4*3]>>1);
block[i + 4*0]= z0 + z3; block[i + 4*0]= z0 + z3;
block[i + 4*1]= z1 + z2; block[i + 4*1]= z1 + z2;
@@ -52,15 +52,15 @@ void FUNCC(ff_h264_idct_add)(uint8_t *_dst, int16_t *_block, int stride)
} }
for(i=0; i<4; i++){ for(i=0; i<4; i++){
const int z0= block[0 + 4*i] + block[2 + 4*i]; const SUINT z0= block[0 + 4*i] + (SUINT)block[2 + 4*i];
const int z1= block[0 + 4*i] - block[2 + 4*i]; const SUINT z1= block[0 + 4*i] - (SUINT)block[2 + 4*i];
const int z2= (block[1 + 4*i]>>1) - block[3 + 4*i]; const SUINT z2= (block[1 + 4*i]>>1) - (SUINT)block[3 + 4*i];
const int z3= block[1 + 4*i] + (block[3 + 4*i]>>1); const SUINT z3= block[1 + 4*i] + (SUINT)(block[3 + 4*i]>>1);
dst[i + 0*stride]= av_clip_pixel(dst[i + 0*stride] + ((z0 + z3) >> 6)); dst[i + 0*stride]= av_clip_pixel(dst[i + 0*stride] + ((int)(z0 + z3) >> 6));
dst[i + 1*stride]= av_clip_pixel(dst[i + 1*stride] + ((z1 + z2) >> 6)); dst[i + 1*stride]= av_clip_pixel(dst[i + 1*stride] + ((int)(z1 + z2) >> 6));
dst[i + 2*stride]= av_clip_pixel(dst[i + 2*stride] + ((z1 - z2) >> 6)); dst[i + 2*stride]= av_clip_pixel(dst[i + 2*stride] + ((int)(z1 - z2) >> 6));
dst[i + 3*stride]= av_clip_pixel(dst[i + 3*stride] + ((z0 - z3) >> 6)); dst[i + 3*stride]= av_clip_pixel(dst[i + 3*stride] + ((int)(z0 - z3) >> 6));
} }
memset(block, 0, 16 * sizeof(dctcoef)); memset(block, 0, 16 * sizeof(dctcoef));