UBSan fuzzer bug in LowCutFilter::BiqueadFilter::Process

The variable 'tmp_int32' in LowCutFilter::BiqueadFilter::Process can be negative. This replaces a left shift with multiplication. Bug: chromium:735593, chromium:743330 Change-Id: Idec7fbcc17495f7241eb4bea44920585740e3695 Reviewed-on: https://chromium-review.googlesource.com/575136 Commit-Queue: Alex Loiko <aleloi@webrtc.org> Reviewed-by: Sam Zackrisson <saza@webrtc.org> Cr-Commit-Position: refs/heads/master@{#19074}
2017-07-18 13:03:35 +02:00 · 2017-07-18 13:03:35 +02:00 · b5c1607e92
commit b5c1607e92
parent fcf97c3b75
1 changed files with 1 additions and 1 deletions
--- a/webrtc/modules/audio_processing/low_cut_filter.cc
+++ b/webrtc/modules/audio_processing/low_cut_filter.cc
@ -44,7 +44,7 @@ class LowCutFilter::BiquadFilter {
      tmp_int32 = (tmp_int32 >> 15);
      tmp_int32 += y[0] * ba[3];  // -a[1] * y[i-1] (high part)
      tmp_int32 += y[2] * ba[4];  // -a[2] * y[i-2] (high part)
-      tmp_int32 = (tmp_int32 << 1);
+      tmp_int32 *= 2;

      tmp_int32 += data[i] * ba[0];  // b[0] * x[0]
      tmp_int32 += x[0] * ba[1];     // b[1] * x[i-1]