[FFmpeg-cvslog] avcodec/mlp: Fix multiple runtime error: left shift of negative value -1

Michael Niedermayer git at videolan.org
Sat May 13 16:55:15 EEST 2017 

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat May 13 14:39:26 2017 +0200| [74dc728a2c2cc353da20cdc09b8cdfbbe14b7be8] | committer: Michael Niedermayer

avcodec/mlp: Fix multiple runtime error: left shift of negative value -1

Fixes: 1512/clusterfuzz-testcase-minimized-4713846423945216

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=74dc728a2c2cc353da20cdc09b8cdfbbe14b7be8
---

 libavcodec/mlpdec.c | 6 +++---
 libavcodec/mlpdsp.c | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index 7cad5d1cad..b471f0d760 100644
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -684,7 +684,7 @@ static int read_filter_params(MLPDecodeContext *m, GetBitContext *gbp,
         }
 
         for (i = 0; i < order; i++)
-            fcoeff[i] = get_sbits(gbp, coeff_bits) << coeff_shift;
+            fcoeff[i] = get_sbits(gbp, coeff_bits) * (1 << coeff_shift);
 
         if (get_bits1(gbp)) {
             int state_bits, state_shift;
@@ -999,8 +999,8 @@ static void generate_2_noise_channels(MLPDecodeContext *m, unsigned int substr)
 
     for (i = 0; i < s->blockpos; i++) {
         uint16_t seed_shr7 = seed >> 7;
-        m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) << s->noise_shift;
-        m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7)   << s->noise_shift;
+        m->sample_buffer[i][maxchan+1] = ((int8_t)(seed >> 15)) * (1 << s->noise_shift);
+        m->sample_buffer[i][maxchan+2] = ((int8_t) seed_shr7)   * (1 << s->noise_shift);
 
         seed = (seed << 16) ^ seed_shr7 ^ (seed_shr7 << 5);
     }
diff --git a/libavcodec/mlpdsp.c b/libavcodec/mlpdsp.c
index 3ae8c37708..2fc453c1f0 100644
--- a/libavcodec/mlpdsp.c
+++ b/libavcodec/mlpdsp.c
@@ -113,8 +113,8 @@ int32_t ff_mlp_pack_output(int32_t lossless_check_data,
     for (i = 0; i < blockpos; i++) {
         for (out_ch = 0; out_ch <= max_matrix_channel; out_ch++) {
             int mat_ch = ch_assign[out_ch];
-            int32_t sample = sample_buffer[i][mat_ch]
-                          << output_shift[mat_ch];
+            int32_t sample = sample_buffer[i][mat_ch] *
+                          (1 << output_shift[mat_ch]);
             lossless_check_data ^= (sample & 0xffffff) << mat_ch;
             if (is32)
                 *data_32++ = sample << 8;

More information about the ffmpeg-cvslog mailing list