From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 19 Feb 2017 19:32:48 +0000 (+0100)
Subject: avcodec/eac3dec: Fix runtime error: left shift of negative value
X-Git-Tag: android-x86-7.1-r1~2052
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=067485b673f6ac4b1207d6fc975d1fd968edc68e;p=android-x86%2Fexternal-ffmpeg.git

avcodec/eac3dec: Fix runtime error: left shift of negative value

Fixes: 610/clusterfuzz-testcase-4831030085156864

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---

diff --git a/libavcodec/eac3dec.c b/libavcodec/eac3dec.c
index 83a54bcfab..be2350237e 100644
--- a/libavcodec/eac3dec.c
+++ b/libavcodec/eac3dec.c
@@ -252,7 +252,7 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch)
             /* Vector Quantization */
             int v = get_bits(gbc, bits);
             for (blk = 0; blk < 6; blk++) {
-                s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] << 8;
+                s->pre_mantissa[ch][bin][blk] = ff_eac3_mantissa_vq[hebap][v][blk] * (1 << 8);
             }
         } else {
             /* Gain Adaptive Quantization */
@@ -271,12 +271,12 @@ static void ff_eac3_decode_transform_coeffs_aht_ch(AC3DecodeContext *s, int ch)
                     int b;
                     int mbits = bits - (2 - log_gain);
                     mant = get_sbits(gbc, mbits);
-                    mant <<= (23 - (mbits - 1));
+                    mant = ((unsigned)mant) << (23 - (mbits - 1));
                     /* remap mantissa value to correct for asymmetric quantization */
                     if (mant >= 0)
                         b = 1 << (23 - log_gain);
                     else
-                        b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] << 8;
+                        b = ff_eac3_gaq_remap_2_4_b[hebap-8][log_gain-1] * (1 << 8);
                     mant += ((ff_eac3_gaq_remap_2_4_a[hebap-8][log_gain-1] * (int64_t)mant) >> 15) + b;
                 } else {
                     /* small mantissa, no GAQ, or Gk=1 */