From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 11 May 2017 21:06:50 +0000 (+0200)
Subject: avcodec/mss3: Fix runtime error: signed integer overflow: -2146318336 - 2139696256... 
X-Git-Tag: android-x86-7.1-r1~377
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=d05bdba2428dd0c1c5cd3426d69c712b127f996c;p=android-x86%2Fexternal-ffmpeg.git

avcodec/mss3: Fix runtime error: signed integer overflow: -2146318336 - 2139696256 cannot be represented in type 'int'

Fix is similar to rac_get_model_sym()
Fixes: 1483/clusterfuzz-testcase-minimized-6386507814273024
Fixes: 1485/clusterfuzz-testcase-minimized-6639880215986176

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---

diff --git a/libavcodec/mss3.c b/libavcodec/mss3.c
index 81b7e2017c..21226f9085 100644
--- a/libavcodec/mss3.c
+++ b/libavcodec/mss3.c
@@ -389,9 +389,10 @@ static int rac_get_model_sym(RangeCoder *c, Model *m)
 
 static int rac_get_model256_sym(RangeCoder *c, Model256 *m)
 {
-    int prob, prob2, helper, val;
+    int val;
     int start, end;
     int ssym;
+    unsigned prob, prob2, helper;
 
     prob2      = c->range;
     c->range >>= MODEL_SCALE;