avcodec/ac3dec_fixed: Fix several invalid left shifts in scale_coefs()

Fixes: left shift of negative value -14336
Fixes: 20298/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AC3_FIXED_fuzzer-5675484201615360
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/ac3dec_fixed.c b/libavcodec/ac3dec_fixed.c
index bd66175d50f93a1893cf60309f5e0b64e1a766d1..1e1edc89645aecaac13ee1de1059cc99e45a2521 100644 (file)
--- a/libavcodec/ac3dec_fixed.c
+++ b/libavcodec/ac3dec_fixed.c
@@ -107,29 +107,30 @@ static void scale_coefs (
       }
     } else {
       shift = -shift;
+      mul <<= shift;
       for (i=0; i<len; i+=8) {
 
           temp = src[i] * mul;
           temp1 = src[i+1] * mul;
           temp2 = src[i+2] * mul;
 
-          dst[i] = temp << shift;
+          dst[i] = temp;
           temp3 = src[i+3] * mul;
 
-          dst[i+1] = temp1 << shift;
+          dst[i+1] = temp1;
           temp4 = src[i + 4] * mul;
-          dst[i+2] = temp2 << shift;
+          dst[i+2] = temp2;
 
           temp5 = src[i+5] * mul;
-          dst[i+3] = temp3 << shift;
+          dst[i+3] = temp3;
           temp6 = src[i+6] * mul;
 
-          dst[i+4] = temp4 << shift;
+          dst[i+4] = temp4;
           temp7 = src[i+7] * mul;
 
-          dst[i+5] = temp5 << shift;
-          dst[i+6] = temp6 << shift;
-          dst[i+7] = temp7 << shift;
+          dst[i+5] = temp5;
+          dst[i+6] = temp6;
+          dst[i+7] = temp7;
 
       }
     }