avcodec/alsdec: Fix integer overflow in decode_var_block_data()
authorMichael Niedermayer <michael@niedermayer.cc>
Sun, 18 Aug 2019 23:30:53 +0000 (01:30 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Tue, 20 Aug 2019 23:21:27 +0000 (01:21 +0200)
Fixes: signed integer overflow: 1927975249 - -514719744 cannot be represented in type 'int'
Fixes: 16413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5651206856245248

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Thilo Borgmann <thilo.borgmann@mail.de>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/alsdec.c

index 1fdd0cb0fe07d7817d1de8a2d6235f4a2ed0a16c..11bbd38f582aaf2dae9f37b2d37fe38e9ddaf9f3 100644 (file)
@@ -951,7 +951,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
 
         // reconstruct difference signal for prediction (joint-stereo)
         if (bd->js_blocks && bd->raw_other) {
-            int32_t *left, *right;
+            uint32_t *left, *right;
 
             if (bd->raw_other > raw_samples) {  // D = R - L
                 left  = raw_samples;