From 6828048800a14bf0be44029348a7e5472e443bfd Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Thu, 27 Apr 2017 15:10:25 +0200 Subject: [PATCH] avcodec/svq3: Increase offsets to prevent integer overflows Fixes: 1280/clusterfuzz-testcase-minimized-6102353767825408 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer (cherry picked from commit 382b4fc9b5f3102f59743bf9c8619b31dd8ede1b) Signed-off-by: Michael Niedermayer --- libavcodec/svq3.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libavcodec/svq3.c b/libavcodec/svq3.c index 57205c6ad1..1a9bfa294f 100644 --- a/libavcodec/svq3.c +++ b/libavcodec/svq3.c @@ -435,8 +435,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, int fx, fy; mx = (mx + 1 >> 1) + dx; my = (my + 1 >> 1) + dy; - fx = (unsigned)(mx + 0x3000) / 3 - 0x1000; - fy = (unsigned)(my + 0x3000) / 3 - 0x1000; + fx = (unsigned)(mx + 0x30000) / 3 - 0x10000; + fy = (unsigned)(my + 0x30000) / 3 - 0x10000; dxy = (mx - 3 * fx) + 4 * (my - 3 * fy); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -444,8 +444,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx += mx; my += my; } else if (mode == HALFPEL_MODE || mode == PREDICT_MODE) { - mx = (unsigned)(mx + 1 + 0x3000) / 3 + dx - 0x1000; - my = (unsigned)(my + 1 + 0x3000) / 3 + dy - 0x1000; + mx = (unsigned)(mx + 1 + 0x30000) / 3 + dx - 0x10000; + my = (unsigned)(my + 1 + 0x30000) / 3 + dy - 0x10000; dxy = (mx & 1) + 2 * (my & 1); svq3_mc_dir_part(s, x, y, part_width, part_height, @@ -453,8 +453,8 @@ static inline int svq3_mc_dir(SVQ3Context *s, int size, int mode, mx *= 3; my *= 3; } else { - mx = (unsigned)(mx + 3 + 0x6000) / 6 + dx - 0x1000; - my = (unsigned)(my + 3 + 0x6000) / 6 + dy - 0x1000; + mx = (unsigned)(mx + 3 + 0x60000) / 6 + dx - 0x10000; + my = (unsigned)(my + 3 + 0x60000) / 6 + dy - 0x10000; svq3_mc_dir_part(s, x, y, part_width, part_height, mx, my, 0, 0, dir, avg);