This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/8.1 in repository ffmpeg.
commit a8a7a2afa168b8abc08b08188a1d0b0895a58b5f Author: Michael Niedermayer <[email protected]> AuthorDate: Sun May 31 18:58:42 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Sun Jun 14 04:41:00 2026 +0200 avcodec/aac/aacdec_usac: avoid signed overflow in decode_tsd decode_tsd() computes the binomial coefficient c = C(k, p) incrementally. this commit makes it less overflow prone Fixes: 515703905/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_DEC_fuzzer-4890954254581760 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 69c9f1158c153b2dc260aa724e5dc285286079b2) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/aac/aacdec_usac.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libavcodec/aac/aacdec_usac.c b/libavcodec/aac/aacdec_usac.c index 2f4db63ba0..4cd59e6ea5 100644 --- a/libavcodec/aac/aacdec_usac.c +++ b/libavcodec/aac/aacdec_usac.c @@ -1385,11 +1385,10 @@ static void decode_tsd(GetBitContext *gb, int *data, break; } int64_t c = k - p + 1; - for (int h = 2; h <= p; h++) { - c *= k - p + h; - c /= h; + for (int h = 2; h <= p && c <= s; h++) { + c += c*(k-p)/h; } - if (s >= (int)c) { /* c is long long for up to 32 slots */ + if (s >= c) { s -= c; data[k] = 1; p--; _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
