avcodec/ffv1dec: Fix integer overflow in read_quant_table()
authorMichael Niedermayer <michael@niedermayer.cc>
Mon, 18 Sep 2017 15:26:09 +0000 (17:26 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 24 Sep 2017 00:41:19 +0000 (02:41 +0200)
Fixes: runtime error: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 3361/clusterfuzz-testcase-minimized-5065842955911168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit d00fc952b6c261dd8eb0f7552b9ccf985dbc2b20)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/ffv1dec.c

index 5f7e11f..b92c3b3 100644 (file)
@@ -483,7 +483,7 @@ static int read_quant_table(RangeCoder *c, int16_t *quant_table, int scale)
     memset(state, 128, sizeof(state));
 
     for (v = 0; i < 128; v++) {
-        unsigned len = get_symbol(c, state, 0) + 1;
+        unsigned len = get_symbol(c, state, 0) + 1U;
 
         if (len > 128 - i || !len)
             return AVERROR_INVALIDDATA;