Fixes: left shift of negative value -14336 Fixes: 20298/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-5675484201615360
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> --- libavcodec/ac3dec_fixed.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c index bd66175d50..1e1edc8964 100644 --- a/libavcodec/ac3dec_fixed.c +++ b/libavcodec/ac3dec_fixed.c @@ -107,29 +107,30 @@ static void scale_coefs ( } } else { shift = -shift; + mul <<= shift; for (i=0; i<len; i+=8) { temp = src[i] * mul; temp1 = src[i+1] * mul; temp2 = src[i+2] * mul; - dst[i] = temp << shift; + dst[i] = temp; temp3 = src[i+3] * mul; - dst[i+1] = temp1 << shift; + dst[i+1] = temp1; temp4 = src[i + 4] * mul; - dst[i+2] = temp2 << shift; + dst[i+2] = temp2; temp5 = src[i+5] * mul; - dst[i+3] = temp3 << shift; + dst[i+3] = temp3; temp6 = src[i+6] * mul; - dst[i+4] = temp4 << shift; + dst[i+4] = temp4; temp7 = src[i+7] * mul; - dst[i+5] = temp5 << shift; - dst[i+6] = temp6 << shift; - dst[i+7] = temp7 << shift; + dst[i+5] = temp5; + dst[i+6] = temp6; + dst[i+7] = temp7; } } -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
