From 2ccd2c9003c77aee8ffb5f4f43863e35bdf0e4b6 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 19 May 2017 12:14:59 +0200 Subject: [PATCH] avcodec/aacsbr_fixed: Fix multiple runtime error: left shift of negative value -407 Fixes: 1674/clusterfuzz-testcase-minimized-6092531563495424 Fixes: 1686/clusterfuzz-testcase-minimized-6282691643179008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/aacdec_template.c | 4 ++-- libavcodec/aacsbr_fixed.c | 8 ++++---- libavcodec/sbrdsp_fixed.c | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/libavcodec/aacdec_template.c b/libavcodec/aacdec_template.c index a3780c647e..4b98142536 100644 --- a/libavcodec/aacdec_template.c +++ b/libavcodec/aacdec_template.c @@ -2800,9 +2800,9 @@ static void spectral_to_sample(AACContext *ac, int samples) int j; /* preparation for resampler */ for(j = 0; jch[0].ret[j] = (int32_t)av_clip64((int64_t)che->ch[0].ret[j]<<7, INT32_MIN, INT32_MAX-0x8000)+0x8000; + che->ch[0].ret[j] = (int32_t)av_clip64((int64_t)che->ch[0].ret[j]*128, INT32_MIN, INT32_MAX-0x8000)+0x8000; if(type == TYPE_CPE) - che->ch[1].ret[j] = (int32_t)av_clip64((int64_t)che->ch[1].ret[j]<<7, INT32_MIN, INT32_MAX-0x8000)+0x8000; + che->ch[1].ret[j] = (int32_t)av_clip64((int64_t)che->ch[1].ret[j]*128, INT32_MIN, INT32_MAX-0x8000)+0x8000; } } #endif /* USE_FIXED */ diff --git a/libavcodec/aacsbr_fixed.c b/libavcodec/aacsbr_fixed.c index b26314a7eb..b15a963ebf 100644 --- a/libavcodec/aacsbr_fixed.c +++ b/libavcodec/aacsbr_fixed.c @@ -289,7 +289,7 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, if (shift >= 3) alpha0[k][0] = 0x7fffffff; else { - a00.mant <<= 1; + a00.mant *= 2; shift = 2-shift; if (shift == 0) alpha0[k][0] = a00.mant; @@ -303,7 +303,7 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, if (shift >= 3) alpha0[k][1] = 0x7fffffff; else { - a01.mant <<= 1; + a01.mant *= 2; shift = 2-shift; if (shift == 0) alpha0[k][1] = a01.mant; @@ -316,7 +316,7 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, if (shift >= 3) alpha1[k][0] = 0x7fffffff; else { - a10.mant <<= 1; + a10.mant *= 2; shift = 2-shift; if (shift == 0) alpha1[k][0] = a10.mant; @@ -330,7 +330,7 @@ static void sbr_hf_inverse_filter(SBRDSPContext *dsp, if (shift >= 3) alpha1[k][1] = 0x7fffffff; else { - a11.mant <<= 1; + a11.mant *= 2; shift = 2-shift; if (shift == 0) alpha1[k][1] = a11.mant; diff --git a/libavcodec/sbrdsp_fixed.c b/libavcodec/sbrdsp_fixed.c index fb9aba4e8d..a018b4dd82 100644 --- a/libavcodec/sbrdsp_fixed.c +++ b/libavcodec/sbrdsp_fixed.c @@ -116,7 +116,7 @@ static av_always_inline SoftFloat autocorr_calc(int64_t accu) } else { nz = 0; while (FFABS(i) < 0x40000000) { - i <<= 1; + i *= 2; nz++; } nz = 32-nz; @@ -125,7 +125,7 @@ static av_always_inline SoftFloat autocorr_calc(int64_t accu) round = 1U << (nz-1); mant = (int)((accu + round) >> nz); mant = (mant + 0x40)>>7; - mant <<= 6; + mant *= 64; expo = nz + 15; return av_int2sf(mant, 30 - expo); }