[FFmpeg-cvslog] avcodec/g723_1dec: Clip after shift in estimate_sid_gain()

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat May 20 14:16:57 2017 +0200| [23868ad5cb9b78ef95d2f71371d4f568b36218d5] | committer: Michael Niedermayer

avcodec/g723_1dec: Clip after shift in estimate_sid_gain()

Fixes: runtime error: left shift of 706 by 22 places cannot be represented in type 'int'
See: L_shl() in the reference software
Fixes: 1609/clusterfuzz-testcase-minimized-5102163007111168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=23868ad5cb9b78ef95d2f71371d4f568b36218d5
---

 libavcodec/g723_1dec.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c
index aaa26c24ef..c8202a937c 100644
--- a/libavcodec/g723_1dec.c
+++ b/libavcodec/g723_1dec.c
@@ -660,9 +660,15 @@ static int estimate_sid_gain(G723_1_Context *p)
     int i, shift, seg, seg2, t, val, val_add, x, y;
 
     shift = 16 - p->cur_gain * 2;
-    if (shift > 0)
-        t = p->sid_gain << shift;
-    else
+    if (shift > 0) {
+        if (p->sid_gain == 0) {
+            t = 0;
+        } else if (shift >= 31 || (int32_t)((uint32_t)p->sid_gain << shift) >> shift != p->sid_gain) {
+            if (p->sid_gain < 0) t = INT32_MIN;
+            else                 t = INT32_MAX;
+        } else
+            t = p->sid_gain << shift;
+    }else
         t = p->sid_gain >> -shift;
     x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16);