From 949d2176ef0a37c6ecbb65be0f1199536a2d9278 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 26 Feb 2017 20:28:02 +0100
Subject: avcodec/dca: Fix multiple runtime error: signed integer overflow

Fixes: 680/clusterfuzz-testcase-5416627266912256
Fixes: 681/clusterfuzz-testcase-5013323462475776

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dca_xll.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'libavcodec/dca_xll.c')

diff --git a/libavcodec/dca_xll.c b/libavcodec/dca_xll.c
index 3dfde6b68d..6cebda35e4 100644
--- a/libavcodec/dca_xll.c
+++ b/libavcodec/dca_xll.c
@@ -652,7 +652,7 @@ static void chs_filter_band_data(DCAXllDecoder *s, DCAXllChSet *c, int band)
                 int64_t err = 0;
                 for (k = 0; k < order; k++)
                     err += (int64_t)buf[j + k] * coeff[order - k - 1];
-                buf[j + k] -= clip23(norm16(err));
+                buf[j + k] -= (SUINT)clip23(norm16(err));
             }
         } else {
             // Inverse fixed coefficient prediction
@@ -1308,7 +1308,7 @@ static int combine_residual_frame(DCAXllDecoder *s, DCAXllChSet *c)
             // Undo embedded core downmix pre-scaling
             int scale_inv = o->dmix_scale_inv[c->hier_ofs + ch];
             for (n = 0; n < nsamples; n++)
-                dst[n] += clip23((mul16(src[n], scale_inv) + round) >> shift);
+                dst[n] += (SUINT)clip23((mul16(src[n], scale_inv) + round) >> shift);
         } else {
             // No downmix scaling
             for (n = 0; n < nsamples; n++)
-- 
cgit v1.2.3