From 257ab5a6ac8c28cfa44d0d650a0a50c6d2fdb427 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 13 Oct 2025 14:32:45 +0200
Subject: [PATCH] swscale/output: Fix integer overflow in
 yuv2ya16_X_c_template()

Found-by: colod colod <colodcolod7@gmail.com>

Fixes: CVE-2025-63757

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 0c6b7f9483a38657c9be824572b4c0c45d4d9fef)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ac4caa33bae5841649c61d4f8a0608dfa59c4fa1)
Signed-off-by: Carlos Henrique Lima Melara <charlesmelara@riseup.net>
---
 libswscale/output.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libswscale/output.c b/libswscale/output.c
index 3cb00b4c99..d9b16f3516 100644
--- a/libswscale/output.c
+++ b/libswscale/output.c
@@ -909,7 +909,7 @@ yuv2ya16_X_c_template(SwsContext *c, const int16_t *lumFilter,
         int A = 0xffff;
 
         for (j = 0; j < lumFilterSize; j++)
-            Y += lumSrc[j][i] * lumFilter[j];
+            Y += lumSrc[j][i] * (unsigned)lumFilter[j];
 
         Y >>= 15;
         Y += (1<<3) + 0x8000;
@@ -918,7 +918,7 @@ yuv2ya16_X_c_template(SwsContext *c, const int16_t *lumFilter,
         if (hasAlpha) {
             A = -0x40000000 + (1<<14);
             for (j = 0; j < lumFilterSize; j++)
-                A += alpSrc[j][i] * lumFilter[j];
+                A += alpSrc[j][i] * (unsigned)lumFilter[j];
 
             A >>= 15;
             A += 0x8000;