diff mbox series

[FFmpeg-devel,1/4] avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs()

Message ID 20200202001639.32084-1-michael@niedermayer.cc
State Accepted
Commit 8e30502abe62f741cfef1e7b75048ae86a99a50f
Headers show
Series [FFmpeg-devel,1/4] avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs() | expand

Checks

Context Check Description
andriy/ffmpeg-patchwork success Make fate finished

Commit Message

Michael Niedermayer Feb. 2, 2020, 12:16 a.m. UTC 
Fixes: left shift of negative value -14336
Fixes: 20298/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-5675484201615360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/ac3dec_fixed.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

Comments

Michael Niedermayer April 15, 2020, 10:50 p.m. UTC | #1 
On Sun, Feb 02, 2020 at 01:16:36AM +0100, Michael Niedermayer wrote:
> Fixes: left shift of negative value -14336
> Fixes: 20298/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-5675484201615360
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/ac3dec_fixed.c | 17 +++++++++--------
>  1 file changed, 9 insertions(+), 8 deletions(-)

will apply

[...]
diff mbox series

Patch

diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c
index bd66175d50..1e1edc8964 100644
--- a/libavcodec/ac3dec_fixed.c
+++ b/libavcodec/ac3dec_fixed.c
@@ -107,29 +107,30 @@  static void scale_coefs (
       }
     } else {
       shift = -shift;
+      mul <<= shift;
       for (i=0; i<len; i+=8) {
 
           temp = src[i] * mul;
           temp1 = src[i+1] * mul;
           temp2 = src[i+2] * mul;
 
-          dst[i] = temp << shift;
+          dst[i] = temp;
           temp3 = src[i+3] * mul;
 
-          dst[i+1] = temp1 << shift;
+          dst[i+1] = temp1;
           temp4 = src[i + 4] * mul;
-          dst[i+2] = temp2 << shift;
+          dst[i+2] = temp2;
 
           temp5 = src[i+5] * mul;
-          dst[i+3] = temp3 << shift;
+          dst[i+3] = temp3;
           temp6 = src[i+6] * mul;
 
-          dst[i+4] = temp4 << shift;
+          dst[i+4] = temp4;
           temp7 = src[i+7] * mul;
 
-          dst[i+5] = temp5 << shift;
-          dst[i+6] = temp6 << shift;
-          dst[i+7] = temp7 << shift;
+          dst[i+5] = temp5;
+          dst[i+6] = temp6;
+          dst[i+7] = temp7;
 
       }
     }