avcodec/sbrdsp_fixed: Fix integer overflow in shift in sbr_hf_g_filt_c()
authorMichael Niedermayer <michael@niedermayer.cc>
Wed, 1 Nov 2017 13:00:20 +0000 (14:00 +0100)
committerMichael Niedermayer <michael@niedermayer.cc>
Wed, 31 Jan 2018 21:56:14 +0000 (22:56 +0100)
Fixes: runtime error: shift exponent 66 is too large for 64-bit type 'long long'
Fixes: 3642/clusterfuzz-testcase-minimized-5443853801750528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 981e99ab99986935affad7c164ebdfe28e8ea7f8)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/sbrdsp_fixed.c

index f45bb84..07ef121 100644 (file)
@@ -233,12 +233,14 @@ static void sbr_hf_g_filt_c(int (*Y)[2], const int (*X_high)[40][2],
     int64_t accu;
 
     for (m = 0; m < m_max; m++) {
-        int64_t r = 1LL << (22-g_filt[m].exp);
-        accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7);
-        Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp));
+        if (22 - g_filt[m].exp < 61) {
+            int64_t r = 1LL << (22-g_filt[m].exp);
+            accu = (int64_t)X_high[m][ixh][0] * ((g_filt[m].mant + 0x40)>>7);
+            Y[m][0] = (int)((accu + r) >> (23-g_filt[m].exp));
 
-        accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7);
-        Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp));
+            accu = (int64_t)X_high[m][ixh][1] * ((g_filt[m].mant + 0x40)>>7);
+            Y[m][1] = (int)((accu + r) >> (23-g_filt[m].exp));
+        }
     }
 }