[FFmpeg-cvslog] avcodec/takdec: Fix multiple runtime error: left shift of negative value -1

Michael Niedermayer git at videolan.org
Wed May 10 02:11:15 EEST 2017


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Wed May 10 00:44:37 2017 +0200| [c5d2fa2fdff08e77bba0c9a31b91826a807c551c] | committer: Michael Niedermayer

avcodec/takdec: Fix multiple  runtime error: left shift of negative value -1

Fixes: 1423/clusterfuzz-testcase-minimized-5063889899225088

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c5d2fa2fdff08e77bba0c9a31b91826a807c551c
---

 libavcodec/takdec.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/libavcodec/takdec.c b/libavcodec/takdec.c
index 5dfcca82ab..42939b4058 100644
--- a/libavcodec/takdec.c
+++ b/libavcodec/takdec.c
@@ -433,19 +433,19 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded,
 
     s->predictors[0] = get_sbits(gb, 10);
     s->predictors[1] = get_sbits(gb, 10);
-    s->predictors[2] = get_sbits(gb, size) << (10 - size);
-    s->predictors[3] = get_sbits(gb, size) << (10 - size);
+    s->predictors[2] = get_sbits(gb, size) * (1 << (10 - size));
+    s->predictors[3] = get_sbits(gb, size) * (1 << (10 - size));
     if (filter_order > 4) {
         int tmp = size - get_bits1(gb);
 
         for (i = 4; i < filter_order; i++) {
             if (!(i & 3))
                 x = tmp - get_bits(gb, 2);
-            s->predictors[i] = get_sbits(gb, x) << (10 - size);
+            s->predictors[i] = get_sbits(gb, x) * (1 << (10 - size));
         }
     }
 
-    tfilter[0] = s->predictors[0] << 6;
+    tfilter[0] = s->predictors[0] * 64;
     for (i = 1; i < filter_order; i++) {
         int32_t *p1 = &tfilter[0];
         int32_t *p2 = &tfilter[i - 1];
@@ -457,7 +457,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded,
             p2--;
         }
 
-        tfilter[i] = s->predictors[i] << 6;
+        tfilter[i] = s->predictors[i] * 64;
     }
 
     x = 1 << (32 - (15 - filter_quant));
@@ -491,7 +491,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded,
                      s->residues[i + j + 1] * s->filter[j + 1] +
                      s->residues[i + j    ] * s->filter[j    ];
             }
-            v = (av_clip_intp2(v >> filter_quant, 13) << dshift) - *decoded;
+            v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - *decoded;
             *decoded++ = v;
             s->residues[filter_order + i] = v >> dshift;
         }



More information about the ffmpeg-cvslog mailing list