From 32c6ae249fb879d75de119bc63b9a16f9f14bdca Mon Sep 17 00:00:00 2001
From: Sam Zackrisson <saza@webrtc.org>
Date: Mon, 11 Dec 2017 11:44:25 +0100
Subject: [PATCH] Fix fuzzer-found undefined behavior in webrtc_cng

The computation (x-127) << 8 is undefined for x < 127.
This CL replaces the shift with a multiplication: (x-127) * (1 << 8)

Bug: chromium:793201
Change-Id: I38b40bd88300208a0bfbbd8fe144b0a5b51a48ed
Reviewed-on: https://webrtc-review.googlesource.com/31800
Commit-Queue: Sam Zackrisson <saza@webrtc.org>
Reviewed-by: Henrik Lundin <henrik.lundin@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#21205}
---
 modules/audio_coding/codecs/cng/webrtc_cng.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/audio_coding/codecs/cng/webrtc_cng.cc b/modules/audio_coding/codecs/cng/webrtc_cng.cc
index 8b8e57eb44..bd17a614bc 100644
--- a/modules/audio_coding/codecs/cng/webrtc_cng.cc
+++ b/modules/audio_coding/codecs/cng/webrtc_cng.cc
@@ -99,7 +99,7 @@ void ComfortNoiseDecoder::UpdateSid(rtc::ArrayView<const uint8_t> sid) {
     }
   } else {
     for (size_t i = 0; i < (dec_order_); i++) {
-      refCs[i] = (sid[i + 1] - 127) << 8; /* Q7 to Q15. */
+      refCs[i] = (sid[i + 1] - 127) * (1 << 8); /* Q7 to Q15. */
       dec_target_reflCoefs_[i] = refCs[i];
     }
   }