avcodec/bink: Fix integer overflow in unquantize_dct_coeffs()

Fixes: signed integer overflow: -3447 * 2883584 cannot be represented in type 'int' Fixes: 15265/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINK_fuzzer-5088311799971840 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Peter Ross <pross@xvid.org> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 62ad08cef993f7a103b6d3a5498f6fa49190e085) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2025-03-17 20:17:55 +02:00 · 2019-06-18 14:28:17 +02:00 · 2019-06-18 14:28:17 +02:00 · 9a68341e9e
commit 9a68341e9e
parent da081ecf69
1 changed files with 3 additions and 3 deletions
--- a/libavcodec/bink.c
+++ b/libavcodec/bink.c
@ -702,15 +702,15 @@ static int read_dct_coeffs(GetBitContext *gb, int32_t block[64],
    return quant_idx;
 }

-static void unquantize_dct_coeffs(int32_t block[64], const int32_t quant[64],
+static void unquantize_dct_coeffs(int32_t block[64], const uint32_t quant[64],
                                  int coef_count, int coef_idx[64],
                                  const uint8_t *scan)
 {
    int i;
-    block[0] = (block[0] * quant[0]) >> 11;
+    block[0] = (int)(block[0] * quant[0]) >> 11;
    for (i = 0; i < coef_count; i++) {
        int idx = coef_idx[i];
-        block[scan[idx]] = (block[scan[idx]] * quant[idx]) >> 11;
+        block[scan[idx]] = (int)(block[scan[idx]] * quant[idx]) >> 11;
    }
 }