From b1aecad9eae900b9c3054392994d150d5ae572c5 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 22 Jan 2020 23:11:47 +0100
Subject: avcodec/dpcm: Fix integer overflow in AV_CODEC_ID_GREMLIN_DPCM

Fixes: signed integer overflow: -2147479324 + -32568 cannot be represented in type 'int'
Fixes: 20103/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GREMLIN_DPCM_fuzzer-5667667579240448

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/dpcm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'libavcodec')

diff --git a/libavcodec/dpcm.c b/libavcodec/dpcm.c
index 7d3934ee35..5958081b66 100644
--- a/libavcodec/dpcm.c
+++ b/libavcodec/dpcm.c
@@ -367,7 +367,7 @@ static int dpcm_decode_frame(AVCodecContext *avctx, void *data,
         while (output_samples < samples_end) {
             uint8_t n = bytestream2_get_byteu(&gb);
 
-            *output_samples++ = s->sample[idx] += s->array[n];
+            *output_samples++ = s->sample[idx] += (unsigned)s->array[n];
             idx ^= 1;
         }
         }
-- 
cgit v1.2.3