Fix fuzzer-found overflow in AGC1

Much like https://bugs.chromium.org/p/chromium/issues/detail?id=855900, the int32 gain table isn't always small enough for plain multiplication with an int16. This appears fixable through regular fixed-point arithmetic (multiply out[i][n] by integer and fractional part of gain separately), but it's less readable. Bug: chromium:858989 Change-Id: Ie5aac25fd0cca4e51858cba69bde06c54a5d31bf Reviewed-on: https://webrtc-review.googlesource.com/86602 Reviewed-by: Alex Loiko <aleloi@webrtc.org> Commit-Queue: Sam Zackrisson <saza@webrtc.org> Cr-Commit-Position: refs/heads/master@{#23815}
2018-07-02 15:01:11 +02:00 · 2018-07-02 15:01:11 +02:00 · 46f858a626
commit 46f858a626
parent a8eb1e619e
1 changed files with 3 additions and 5 deletions
--- a/modules/audio_processing/agc/legacy/digital_agc.c
+++ b/modules/audio_processing/agc/legacy/digital_agc.c
@ -504,18 +504,16 @@ int32_t WebRtcAgc_ProcessDigital(DigitalAgc* stt,
  // iterate over samples
  for (n = 0; n < L; n++) {
    for (i = 0; i < num_bands; ++i) {
-      tmp32 = out[i][n] * ((gain32 + 127) >> 7);
-      out_tmp = tmp32 >> 16;
+      out_tmp = (int64_t)out[i][n] * ((gain32 + 127) >> 7) >> 16;
      if (out_tmp > 4095) {
        out[i][n] = (int16_t)32767;
      } else if (out_tmp < -4096) {
        out[i][n] = (int16_t)-32768;
      } else {
-        tmp32 = out[i][n] * (gain32 >> 4);
-        out[i][n] = (int16_t)(tmp32 >> 16);
+        tmp32 = ((int64_t)out[i][n] * (gain32 >> 4)) >> 16;
+        out[i][n] = (int16_t)tmp32;
      }
    }
-    //

    gain32 += delta;
  }