From b5c1607e9286581bb63c8225df75e47aff8eae96 Mon Sep 17 00:00:00 2001
From: Alex Loiko <aleloi@webrtc.org>
Date: Tue, 18 Jul 2017 13:03:35 +0200
Subject: [PATCH] UBSan fuzzer bug in LowCutFilter::BiqueadFilter::Process

The variable 'tmp_int32' in LowCutFilter::BiqueadFilter::Process can
be negative. This replaces a left shift with multiplication.

Bug: chromium:735593, chromium:743330
Change-Id: Idec7fbcc17495f7241eb4bea44920585740e3695
Reviewed-on: https://chromium-review.googlesource.com/575136
Commit-Queue: Alex Loiko <aleloi@webrtc.org>
Reviewed-by: Sam Zackrisson <saza@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#19074}
---
 webrtc/modules/audio_processing/low_cut_filter.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webrtc/modules/audio_processing/low_cut_filter.cc b/webrtc/modules/audio_processing/low_cut_filter.cc
index ea45532427..86851cb9d0 100644
--- a/webrtc/modules/audio_processing/low_cut_filter.cc
+++ b/webrtc/modules/audio_processing/low_cut_filter.cc
@@ -44,7 +44,7 @@ class LowCutFilter::BiquadFilter {
       tmp_int32 = (tmp_int32 >> 15);
       tmp_int32 += y[0] * ba[3];  // -a[1] * y[i-1] (high part)
       tmp_int32 += y[2] * ba[4];  // -a[2] * y[i-2] (high part)
-      tmp_int32 = (tmp_int32 << 1);
+      tmp_int32 *= 2;
 
       tmp_int32 += data[i] * ba[0];  // b[0] * x[0]
       tmp_int32 += x[0] * ba[1];     // b[1] * x[i-1]