Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Fixes: 18333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COMFORTNOISE_fuzzer-5668481831272448
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavutil/lfg.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/libavutil/lfg.h b/libavutil/lfg.h index 03f779ad8a..94b02909ec 100644 --- a/libavutil/lfg.h +++ b/libavutil/lfg.h @@ -45,8 +45,9 @@ int av_lfg_init_from_data(AVLFG *c, const uint8_t *data, unsigned int length); * it may be good enough and faster for your specific use case. */ static inline unsigned int av_lfg_get(AVLFG *c){ - c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63]; - return c->state[c->index++ & 63]; + unsigned a = c->state[c->index & 63] = c->state[(c->index-24) & 63] + c->state[(c->index-55) & 63]; + c->index += 1U; + return a; } /** @@ -57,7 +58,9 @@ static inline unsigned int av_lfg_get(AVLFG *c){ static inline unsigned int av_mlfg_get(AVLFG *c){ unsigned int a= c->state[(c->index-55) & 63]; unsigned int b= c->state[(c->index-24) & 63]; - return c->state[c->index++ & 63] = 2*a*b+a+b; + a = c->state[c->index & 63] = 2*a*b+a+b; + c->index += 1U; + return a; } /** -- 2.23.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
