From d7cb0d2205a3aa0a9b79aa4e1c793cd265f6679d Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 6 Sep 2019 10:55:26 +0200
Subject: [PATCH] avcodec/smacker: Fix integer overflow in signed int multiply
 in SMK_BLK_FILL

Fixes: signed integer overflow: 238 * 16843009 cannot be represented in type 'int'
Fixes: 16958/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SMACKER_fuzzer-5193905355620352

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 033d2c4884eca3f4f80047bff93255b0cc4fa7a3)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/smacker.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/smacker.c b/libavcodec/smacker.c
index 61e316916b..27da0bc97a 100644
--- a/libavcodec/smacker.c
+++ b/libavcodec/smacker.c
@@ -536,7 +536,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
             while(run-- && blk < blocks){
                 uint32_t col;
                 out = smk->pic->data[0] + (blk / bw) * (stride * 4) + (blk % bw) * 4;
-                col = mode * 0x01010101;
+                col = mode * 0x01010101U;
                 for(i = 0; i < 4; i++) {
                     *((uint32_t*)out) = col;
                     out += stride;