highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/takdec: Fix multiple runtime error: left shift of negative value -1

Browse Source 
Fixes: 1423/clusterfuzz-testcase-minimized-5063889899225088

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2017-05-10 00:44:37 +02:00
parent 65b7109105
commit c5d2fa2fdf
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
libavcodec/takdec.c
View File

@ -433,19 +433,19 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded,
s->predictors[0] = get_sbits(gb, 10); s->predictors[0] = get_sbits(gb, 10);
s->predictors[1] = get_sbits(gb, 10); s->predictors[1] = get_sbits(gb, 10);
s->predictors[2] = get_sbits(gb, size) << (10 - size); s->predictors[2] = get_sbits(gb, size) * (1 << (10 - size));
s->predictors[3] = get_sbits(gb, size) << (10 - size); s->predictors[3] = get_sbits(gb, size) * (1 << (10 - size));
if (filter_order > 4) { if (filter_order > 4) {
int tmp = size - get_bits1(gb); int tmp = size - get_bits1(gb);
for (i = 4; i < filter_order; i++) { for (i = 4; i < filter_order; i++) {
if (!(i & 3)) if (!(i & 3))
x = tmp - get_bits(gb, 2); x = tmp - get_bits(gb, 2);
s->predictors[i] = get_sbits(gb, x) << (10 - size); s->predictors[i] = get_sbits(gb, x) * (1 << (10 - size));
} }
} }
tfilter[0] = s->predictors[0] << 6; tfilter[0] = s->predictors[0] * 64;
for (i = 1; i < filter_order; i++) { for (i = 1; i < filter_order; i++) {
int32_t *p1 = &tfilter[0]; int32_t *p1 = &tfilter[0];
int32_t *p2 = &tfilter[i - 1]; int32_t *p2 = &tfilter[i - 1];
@ -457,7 +457,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded,
p2--; p2--;
} }
tfilter[i] = s->predictors[i] << 6; tfilter[i] = s->predictors[i] * 64;
} }
x = 1 << (32 - (15 - filter_quant)); x = 1 << (32 - (15 - filter_quant));
@ -491,7 +491,7 @@ static int decode_subframe(TAKDecContext *s, int32_t *decoded,
s->residues[i + j + 1] * s->filter[j + 1] + s->residues[i + j + 1] * s->filter[j + 1] +
s->residues[i + j ] * s->filter[j ]; s->residues[i + j ] * s->filter[j ];
} }
v = (av_clip_intp2(v >> filter_quant, 13) << dshift) - *decoded; v = (av_clip_intp2(v >> filter_quant, 13) * (1 << dshift)) - *decoded;
*decoded++ = v; *decoded++ = v;
s->residues[filter_order + i] = v >> dshift; s->residues[filter_order + i] = v >> dshift;
} }