avcodec/vc1_block: Fix integer overflow in AC rescaling in vc1_decode_i_block_adv()

Fixes: signed integer overflow: 50176 * 262144 cannot be represented in type 'int' Fixes: 18629/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VC1IMAGE_fuzzer-5182370286403584 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2019-11-08 18:31:02 +0100
committer: Michael Niedermayer <michael@niedermayer.cc> 2019-12-01 17:17:04 +0100
commit: 0e010e489b70c044a67c47083cf8eb03209ee89f (patch)
tree: 88c65187e889ede50e4c9396c975f7aeb2105026 /libavcodec/vc1_block.c
parent: 47d963335eb2c36c0e6615d7971c762458e813dd (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/vc1_block.c b/libavcodec/vc1_block.c
index 20dbf63751..0ccaf6b022 100644
--- a/libavcodec/vc1_block.c
+++ b/libavcodec/vc1_block.c
@@ -889,7 +889,7 @@ static int vc1_decode_i_block_adv(VC1Context *v, int16_t block[64], int n,
                 q2 = FFABS(q2) * 2 + ((q2 < 0) ? 0 : v->halfpq) - 1;
             if (q2 && q1 != q2) {
                 for (k = 1; k < 8; k++)
-                    ac_val2[k] = (ac_val2[k] * q2 * ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
+                    ac_val2[k] = (int)(ac_val2[k] * q2 * (unsigned)ff_vc1_dqscale[q1 - 1] + 0x20000) >> 18;
             }
             for (k = 1; k < 8; k++) {
                 block[k << sh] = ac_val2[k] * scale;
author	Michael Niedermayer <michael@niedermayer.cc>	2019-11-08 18:31:02 +0100
committer	Michael Niedermayer <michael@niedermayer.cc>	2019-12-01 17:17:04 +0100
commit	0e010e489b70c044a67c47083cf8eb03209ee89f (patch)
tree	88c65187e889ede50e4c9396c975f7aeb2105026 /libavcodec/vc1_block.c
parent	47d963335eb2c36c0e6615d7971c762458e813dd (diff)