From 40e54383a2f5c4ea64bcf2d486606e2879e53e0d Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Wed, 12 Feb 2020 21:30:08 +0100
Subject: [PATCH] avcodec/adpcm: Fix integer overflow in ADPCM THP

The reference (thp.txt) uses floats so wrap around would seem incorrect.

Fixes: signed integer overflow: 1073741824 + 1073741824 cannot be represented in type 'int'
Fixes: 20658/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_THP_fuzzer-5646302555930624

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit b12b05374f7025167e2c43449ceb8ba3f0a6083f)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/adpcm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c
index 75ee685b16..e91c59b033 100644
--- a/libavcodec/adpcm.c
+++ b/libavcodec/adpcm.c
@@ -1479,8 +1479,8 @@ static int adpcm_decode_frame(AVCodecContext *avctx, void *data,
                 int byte = bytestream2_get_byteu(&gb);
                 int index = (byte >> 4) & 7;
                 unsigned int exp = byte & 0x0F;
-                int factor1 = table[ch][index * 2];
-                int factor2 = table[ch][index * 2 + 1];
+                int64_t factor1 = table[ch][index * 2];
+                int64_t factor2 = table[ch][index * 2 + 1];
 
                 /* Decode 14 samples.  */
                 for (n = 0; n < 14 && (i * 14 + n < nb_samples); n++) {