Commit 4ace2d22 authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/g723_1: Fix multiple runtime error: left shift of negative value

Fixes: 1367/clusterfuzz-testcase-minimized-571496882346393

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpegSigned-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent fc2c420b
...@@ -41,7 +41,7 @@ int ff_g723_1_scale_vector(int16_t *dst, const int16_t *vector, int length) ...@@ -41,7 +41,7 @@ int ff_g723_1_scale_vector(int16_t *dst, const int16_t *vector, int length)
bits= FFMAX(bits, 0); bits= FFMAX(bits, 0);
for (i = 0; i < length; i++) for (i = 0; i < length; i++)
dst[i] = vector[i] << bits >> 3; dst[i] = (vector[i] * (1 << bits)) >> 3;
return bits - 3; return bits - 3;
} }
...@@ -125,9 +125,9 @@ static void lsp2lpc(int16_t *lpc) ...@@ -125,9 +125,9 @@ static void lsp2lpc(int16_t *lpc)
for (j = 0; j < LPC_ORDER; j++) { for (j = 0; j < LPC_ORDER; j++) {
int index = (lpc[j] >> 7) & 0x1FF; int index = (lpc[j] >> 7) & 0x1FF;
int offset = lpc[j] & 0x7f; int offset = lpc[j] & 0x7f;
int temp1 = cos_tab[index] << 16; int temp1 = cos_tab[index] * (1 << 16);
int temp2 = (cos_tab[index + 1] - cos_tab[index]) * int temp2 = (cos_tab[index + 1] - cos_tab[index]) *
((offset << 8) + 0x80) << 1; (((offset << 8) + 0x80) << 1);
lpc[j] = -(av_sat_dadd32(1 << 15, temp1 + temp2) >> 16); lpc[j] = -(av_sat_dadd32(1 << 15, temp1 + temp2) >> 16);
} }
...@@ -138,11 +138,11 @@ static void lsp2lpc(int16_t *lpc) ...@@ -138,11 +138,11 @@ static void lsp2lpc(int16_t *lpc)
*/ */
/* Initialize with values in Q28 */ /* Initialize with values in Q28 */
f1[0] = 1 << 28; f1[0] = 1 << 28;
f1[1] = (lpc[0] << 14) + (lpc[2] << 14); f1[1] = (lpc[0] + lpc[2]) * (1 << 14);
f1[2] = lpc[0] * lpc[2] + (2 << 28); f1[2] = lpc[0] * lpc[2] + (2 << 28);
f2[0] = 1 << 28; f2[0] = 1 << 28;
f2[1] = (lpc[1] << 14) + (lpc[3] << 14); f2[1] = (lpc[1] + lpc[3]) * (1 << 14);
f2[2] = lpc[1] * lpc[3] + (2 << 28); f2[2] = lpc[1] * lpc[3] + (2 << 28);
/* /*
...@@ -162,8 +162,8 @@ static void lsp2lpc(int16_t *lpc) ...@@ -162,8 +162,8 @@ static void lsp2lpc(int16_t *lpc)
f1[0] >>= 1; f1[0] >>= 1;
f2[0] >>= 1; f2[0] >>= 1;
f1[1] = ((lpc[2 * i] << 16 >> i) + f1[1]) >> 1; f1[1] = ((lpc[2 * i] * 65536 >> i) + f1[1]) >> 1;
f2[1] = ((lpc[2 * i + 1] << 16 >> i) + f2[1]) >> 1; f2[1] = ((lpc[2 * i + 1] * 65536 >> i) + f2[1]) >> 1;
} }
/* Convert polynomial coefficients to LPC coefficients */ /* Convert polynomial coefficients to LPC coefficients */
...@@ -171,8 +171,8 @@ static void lsp2lpc(int16_t *lpc) ...@@ -171,8 +171,8 @@ static void lsp2lpc(int16_t *lpc)
int64_t ff1 = f1[i + 1] + f1[i]; int64_t ff1 = f1[i + 1] + f1[i];
int64_t ff2 = f2[i + 1] - f2[i]; int64_t ff2 = f2[i + 1] - f2[i];
lpc[i] = av_clipl_int32(((ff1 + ff2) << 3) + (1 << 15)) >> 16; lpc[i] = av_clipl_int32(((ff1 + ff2) * 8) + (1 << 15)) >> 16;
lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) << 3) + lpc[LPC_ORDER - i - 1] = av_clipl_int32(((ff1 - ff2) * 8) +
(1 << 15)) >> 16; (1 << 15)) >> 16;
} }
} }
......
...@@ -55,7 +55,7 @@ ...@@ -55,7 +55,7 @@
* @param b 16 bit multiplier * @param b 16 bit multiplier
*/ */
#define MULL2(a, b) \ #define MULL2(a, b) \
((((a) >> 16) * (b) << 1) + (((a) & 0xffff) * (b) >> 15)) ((((a) >> 16) * (b) * 2) + (((a) & 0xffff) * (b) >> 15))
/** /**
* G723.1 frame types * G723.1 frame types
......
...@@ -517,7 +517,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag, ...@@ -517,7 +517,7 @@ static void residual_interp(int16_t *buf, int16_t *out, int lag,
(iir_coef)[n - 1] * ((dest)[m - n] >> in_shift);\ (iir_coef)[n - 1] * ((dest)[m - n] >> in_shift);\
}\ }\
\ \
(dest)[m] = av_clipl_int32(((src)[m] << 16) + (filter << 3) +\ (dest)[m] = av_clipl_int32(((src)[m] * 65536) + (filter * 8) +\
(1 << 15)) >> res_shift;\ (1 << 15)) >> res_shift;\
}\ }\
} }
...@@ -904,7 +904,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data, ...@@ -904,7 +904,7 @@ static int g723_1_decode_frame(AVCodecContext *avctx, void *data,
&p->subframe[i], p->cur_rate); &p->subframe[i], p->cur_rate);
/* Get the total excitation */ /* Get the total excitation */
for (j = 0; j < SUBFRAME_LEN; j++) { for (j = 0; j < SUBFRAME_LEN; j++) {
int v = av_clip_int16(vector_ptr[j] << 1); int v = av_clip_int16(vector_ptr[j] * 2);
vector_ptr[j] = av_clip_int16(v + acb_vector[j]); vector_ptr[j] = av_clip_int16(v + acb_vector[j]);
} }
vector_ptr += SUBFRAME_LEN; vector_ptr += SUBFRAME_LEN;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment