[FFmpeg-cvslog] avcodec/g723_1: Fix multiple runtime error: left shift of negative value

Michael Niedermayer git at videolan.org
Sat May 6 18:12:08 EEST 2017


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat May  6 16:32:56 2017 +0200| [4ace2d22192f3995911ec926940125dcb29d606a] | committer: Michael Niedermayer

avcodec/g723_1: Fix multiple runtime error: left shift of negative value

Fixes: 1367/clusterfuzz-testcase-minimized-571496882346393

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=4ace2d22192f3995911ec926940125dcb29d606a
---

 libavcodec/g723_1.c    | 18 +++++++++---------
 libavcodec/g723_1.h    |  2 +-
 libavcodec/g723_1dec.c |  4 ++--
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/libavcodec/g723_1.c b/libavcodec/g723_1.c
index a11fec8a9e..78ce922266 100644
--- a/libavcodec/g723_1.c
+++ b/libavcodec/g723_1.c
@@ -41,7 +41,7 @@ int ff_g723_1_scale_vector(int16_t *dst, const int16_t *vector, int length)
     bits= FFMAX(bits, 0);
 
     for (i = 0; i < length; i++)
-        dst[i] = vector[i] << bits >> 3;
+        dst[i] = (vector[i] * (1 << bits)) >> 3;
 
     return bits - 3;
 }
@@ -125,9 +125,9 @@ static void lsp2lpc(int16_t *lpc)
     for (j = 0; j < LPC_ORDER; j++) {
         int index     = (lpc[j] >> 7) & 0x1FF;
         int offset    = lpc[j] & 0x7f;
-        int temp1     = cos_tab[index] << 16;
+        int temp1     = cos_tab[index] * (1 << 16);
         int temp2     = (cos_tab[index + 1] - cos_tab[index]) *
-                          ((offset << 8) + 0x80) << 1;
+                          (((offset << 8) + 0x80) << 1);
 
         lpc[j] = -(av_sat_dadd32(1 << 15, temp1 + temp2) >> 16);
     }
@@ -138,11 +138,11 @@ static void lsp2lpc(int16_t *lpc)
      */
     /* Initialize with values in Q28 */
     f1[0] = 1 << 28;
-    f1[1] = (lpc[0] << 14) + (lpc[2] << 14);
+    f1[1] = (lpc[0] + lpc[2]) * (1 << 14);
     f1[2] = lpc[0] * lpc[2] + (2 << 28);
 
     f2[0] = 1 << 28;
-    f2[1] = (lpc[1] << 14) + (lpc[3] << 14);
+    f2[1] = (lpc[1] + lpc[3]) * (1 << 14);
     f2[2] = lpc[1] * lpc[3] + (2 << 28);
 
     /*
@@ -162,8 +162,8 @@ static void lsp2lpc(int16_t *lpc)
 
         f1[0] >>= 1;
         f2[0] >>= 1;
-        f1[1] = ((lpc[2 * i]     << 16 >> i) + f1[1]) >> 1;
-        f2[1] = ((lpc[2 * i + 1] << 16 >> i) + f2[1]) >> 1;
+        f1[1] = ((lpc[2 * i]     * 65536 >> i) + f1[1]) >> 1;
+        f2[1] = ((lpc[2 * i + 1] * 65536 >> i) + f2[1]) >> 1;
     }
 
     /* Convert polynomial coefficients to LPC coefficients */
@@ -171,8 +171,8 @@ static void lsp2lpc(int16_t *lpc)
         int64_t ff1 = f1[i + 1] + f1[i];
         int64_t ff2 = f2[i + 1] - f2[i];
 
-        lpc[i] = av_clipl_int32(((ff1 + ff2) << 3) + (1 << 15)) >> 16;
-        lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) << 3) +
+        lpc[i] = av_clipl_int32(((ff1 + ff2) * 8) + (1 << 15)) >> 16;
+        lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) * 8) +
                                                 (1 << 15)) >> 16;
     }
 }
diff --git a/libavcodec/g723_1.h b/libavcodec/g723_1.h
index 40d6e700b1..f833af01c6 100644
--- a/libavcodec/g723_1.h
+++ b/libavcodec/g723_1.h
@@ -55,7 +55,7 @@
  * @param b 16 bit multiplier
  */
 #define MULL2(a, b) \
-        ((((a) >> 16) * (b) << 1) + (((a) & 0xffff) * (b) >> 15))
+        ((((a) >> 16) * (b) * 2) + (((a) & 0xffff) * (b) >> 15))
 
 /**
  * G723.1 frame types
diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c
index e9896b5e7a..0b9fd39946 100644
--- a/libavcodec/g723_1dec.c
+++ b/libavcodec/g723_1dec.c
@@ -517,7 +517,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag,
                       (iir_coef)[n - 1] * ((dest)[m - n] >> in_shift);\
         }\
 \
-        (dest)[m] = av_clipl_int32(((src)[m] << 16) + (filter << 3) +\
+        (dest)[m] = av_clipl_int32(((src)[m] * 65536) + (filter * 8) +\
                                    (1 << 15)) >> res_shift;\
     }\
 }
@@ -904,7 +904,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data,
                                              &p->subframe[i], p->cur_rate);
                 /* Get the total excitation */
                 for (j = 0; j < SUBFRAME_LEN; j++) {
-                    int v = av_clip_int16(vector_ptr[j] << 1);
+                    int v = av_clip_int16(vector_ptr[j] * 2);
                     vector_ptr[j] = av_clip_int16(v + acb_vector[j]);
                 }
                 vector_ptr += SUBFRAME_LEN;



More information about the ffmpeg-cvslog mailing list