[FFmpeg-cvslog] avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs()

Michael Niedermayer git at videolan.org
Fri Apr 24 02:14:45 EEST 2020


ffmpeg | branch: release/2.8 | Michael Niedermayer <michael at niedermayer.cc> | Sat Feb  1 21:25:33 2020 +0100| [d0d0962a8bee21a0bbac4768cc2b647486e230de] | committer: Michael Niedermayer

avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs()

Fixes: left shift of negative value -14336
Fixes: 20298/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-5675484201615360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 8e30502abe62f741cfef1e7b75048ae86a99a50f)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d0d0962a8bee21a0bbac4768cc2b647486e230de
---

 libavcodec/ac3dec_fixed.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c
index 332a0622f5..760b74135a 100644
--- a/libavcodec/ac3dec_fixed.c
+++ b/libavcodec/ac3dec_fixed.c
@@ -107,29 +107,30 @@ static void scale_coefs (
       }
     } else {
       shift = -shift;
+      mul <<= shift;
       for (i=0; i<len; i+=8) {
 
           temp = src[i] * mul;
           temp1 = src[i+1] * mul;
           temp2 = src[i+2] * mul;
 
-          dst[i] = temp << shift;
+          dst[i] = temp;
           temp3 = src[i+3] * mul;
 
-          dst[i+1] = temp1 << shift;
+          dst[i+1] = temp1;
           temp4 = src[i + 4] * mul;
-          dst[i+2] = temp2 << shift;
+          dst[i+2] = temp2;
 
           temp5 = src[i+5] * mul;
-          dst[i+3] = temp3 << shift;
+          dst[i+3] = temp3;
           temp6 = src[i+6] * mul;
 
-          dst[i+4] = temp4 << shift;
+          dst[i+4] = temp4;
           temp7 = src[i+7] * mul;
 
-          dst[i+5] = temp5 << shift;
-          dst[i+6] = temp6 << shift;
-          dst[i+7] = temp7 << shift;
+          dst[i+5] = temp5;
+          dst[i+6] = temp6;
+          dst[i+7] = temp7;
 
       }
     }



More information about the ffmpeg-cvslog mailing list