avcodec/wavpack: Fix signed integer overflow: 1285114081 * 2 cannot be represented...

Fixes: 945/clusterfuzz-testcase-6037937588273152
Fixes: integer overflow

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/wavpack.c b/libavcodec/wavpack.c
index bc4402f..d2ba97e 100644 (file)
--- a/libavcodec/wavpack.c
+++ b/libavcodec/wavpack.c
@@ -240,7 +240,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb,
         if (get_bits_left(gb) <= 0)
             goto error;
     } else {
-        int mid = (base * 2 + add + 1) >> 1;
+        int mid = (base * 2U + add + 1) >> 1;
         while (add > c->error_limit) {
             if (get_bits_left(gb) <= 0)
                 goto error;
@@ -249,7 +249,7 @@ static int wv_get_value(WavpackFrameContext *ctx, GetBitContext *gb,
                 base = mid;
             } else
                 add = mid - base - 1;
-            mid = (base * 2 + add + 1) >> 1;
+            mid = (base * 2U + add + 1) >> 1;
         }
         ret = mid;
     }