vp9-rtc: Fix integer overflow in key frame target size

The integer overflow happens in vp9_calc_iframe_target_size_one_pass_cbr(), when calculating the target size for L1T3 encoding. The input target bitrate(kbps) is very large, so it gets set to INT_MAX (before being multiplied by 1000 to convert to bps), and avg_frame_bandwidth is then set to (INT_MAX / lc->framerate), which when multipled by (16 + kf_boost) can exceed INT_MAX. Fix is to cast the operands to int64_t and final result to int. Bug: chromium:340918567 Change-Id: Ic00094b22c1f12ca988c0cb1fcaed473e1f8ed2b
webmproject · May 16, 2024 · 5b4cfe8 · 5b4cfe8
1 parent 611d9ba
commit 5b4cfe8
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/vp9/encoder/vp9_ratectrl.c b/vp9/encoder/vp9_ratectrl.c
@@ -2199,7 +2199,7 @@ int vp9_calc_iframe_target_size_one_pass_cbr(const VP9_COMP *cpi) {
     if (rc->frames_since_key < framerate / 2) {
       kf_boost = (int)(kf_boost * rc->frames_since_key / (framerate / 2));
     }
-    target = ((16 + kf_boost) * rc->avg_frame_bandwidth) >> 4;
+    target = (int)(((int64_t)(16 + kf_boost) * rc->avg_frame_bandwidth) >> 4);
   }
   return vp9_rc_clamp_iframe_target_size(cpi, target);
 }