From ad2296ab3a131d3560c385e43437841987166804 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 6 May 2017 22:09:59 +0200 Subject: [PATCH] avcodec/aacdec_fixed: Fix various integer overflows Fixes: 1377/clusterfuzz-testcase-minimized-5487049807233024 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_fixed.c | 2 +- libavcodec/aacdec_template.c | 4 ++-- libavcodec/sbrdsp_fixed.c | 28 +++++++++++++++------------- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/libavcodec/aacdec_fixed.c b/libavcodec/aacdec_fixed.c index acb8178337..e3c68a9767 100644 --- a/libavcodec/aacdec_fixed.c +++ b/libavcodec/aacdec_fixed.c @@ -180,7 +180,7 @@ static void subband_scale(int *dst, int *src, int scale, int offset, int len) } else { s = s + 32; - round = 1 << (s-1); + round = 1U << (s-1); for (i=0; i> s); dst[i] = out * ssign; diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index b20855b99d..d034ae4feb 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2796,9 +2796,9 @@ static void spectral_to_sample(AACContext *ac, int samples) int j; /* preparation for resampler */ for(j = 0; jch[0].ret[j] = (int32_t)av_clipl_int32((int64_t)che->ch[0].ret[j]<<7)+0x8000; + che->ch[0].ret[j] = (int32_t)av_clip64((int64_t)che->ch[0].ret[j]<<7, INT32_MIN, INT32_MAX-0x8000)+0x8000; if(type == TYPE_CPE) - che->ch[1].ret[j] = (int32_t)av_clipl_int32((int64_t)che->ch[1].ret[j]<<7)+0x8000; + che->ch[1].ret[j] = (int32_t)av_clip64((int64_t)che->ch[1].ret[j]<<7, INT32_MIN, INT32_MAX-0x8000)+0x8000; } } #endif /* USE_FIXED */ diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index f4e3de0c71..fb9aba4e8d 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -34,8 +34,9 @@ static SoftFloat sbr_sum_square_c(int (*x)[2], int n) { SoftFloat ret; - int64_t accu = 0; - int i, nz, round; + uint64_t accu = 0, round; + int i, nz; + unsigned u; for (i = 0; i < n; i += 2) { // Larger values are inavlid and could cause overflows of accu. @@ -49,22 +50,22 @@ static SoftFloat sbr_sum_square_c(int (*x)[2], int n) accu += (int64_t)x[i + 1][1] * x[i + 1][1]; } - i = (int)(accu >> 32); - if (i == 0) { + u = accu >> 32; + if (u == 0) { nz = 1; } else { - nz = 0; - while (FFABS(i) < 0x40000000) { - i <<= 1; + nz = -1; + while (u < 0x80000000U) { + u <<= 1; nz++; } nz = 32 - nz; } - round = 1 << (nz-1); - i = (int)((accu + round) >> nz); - i >>= 1; - ret = av_int2sf(i, 15 - nz); + round = 1ULL << (nz-1); + u = ((accu + round) >> nz); + u >>= 1; + ret = av_int2sf(u, 15 - nz); return ret; } @@ -107,7 +108,8 @@ static void sbr_qmf_deint_neg_c(int *v, const int *src) static av_always_inline SoftFloat autocorr_calc(int64_t accu) { - int nz, mant, expo, round; + int nz, mant, expo; + unsigned round; int i = (int)(accu >> 32); if (i == 0) { nz = 1; @@ -120,7 +122,7 @@ static av_always_inline SoftFloat autocorr_calc(int64_t accu) nz = 32-nz; } - round = 1 << (nz-1); + round = 1U << (nz-1); mant = (int)((accu + round) >> nz); mant = (mant + 0x40)>>7; mant <<= 6;