avcodec/vc1_block: Fixes integer overflow in vc1_decode_i_block_adv()

Fixes: signed integer overflow: 62220 * 262144 cannot be represented in type 'int' Fixes: 17145/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5667394743173120 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2019-09-28 21:19:26 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2019-10-20 19:57:51 +0200
commit: 6fdeb208172dc95b29b965a0cc365ca0925e151e (patch)
tree: 688e08d06c50b20eed694dd6b5d7f6e0350712a4 /libavcodec/vc1_block.c
parent: fe63ace98ecaff1fffe9a9841f2581d8939a68b2 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c
index f1c9f41f30..4c6dfaf6bf 100644
--- a/libavcodec/vc1_block.c
+++ b/libavcodec/vc1_block.c
@@ -846,7 +846,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n,
                 q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1;
             if (q2 && q1 != q2) {
                 for (k = 1; k < 8; k++)
-                    block[k << sh] += (ac_val[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
+                    block[k << sh] += (int)(ac_val[k] * (unsigned)q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
             } else {
                 for (k = 1; k < 8; k++)
                     block[k << sh] += ac_val[k];
author	Michael Niedermayer <michael@niedermayer.cc>	2019-09-28 21:19:26 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2019-10-20 19:57:51 +0200
commit	6fdeb208172dc95b29b965a0cc365ca0925e151e (patch)
tree	688e08d06c50b20eed694dd6b5d7f6e0350712a4 /libavcodec/vc1_block.c
parent	fe63ace98ecaff1fffe9a9841f2581d8939a68b2 (diff)