From 23868ad5cb9b78ef95d2f71371d4f568b36218d5 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 20 May 2017 14:16:57 +0200
Subject: [PATCH] avcodec/g723_1dec: Clip after shift in estimate_sid_gain()

Fixes: runtime error: left shift of 706 by 22 places cannot be represented in type 'int'
See: L_shl() in the reference software
Fixes: 1609/clusterfuzz-testcase-minimized-5102163007111168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/g723_1dec.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/libavcodec/g723_1dec.c b/libavcodec/g723_1dec.c
index aaa26c24ef..c8202a937c 100644
--- a/libavcodec/g723_1dec.c
+++ b/libavcodec/g723_1dec.c
@@ -660,9 +660,15 @@ static int estimate_sid_gain(G723_1_Context *p)
     int i, shift, seg, seg2, t, val, val_add, x, y;
 
     shift = 16 - p->cur_gain * 2;
-    if (shift > 0)
-        t = p->sid_gain << shift;
-    else
+    if (shift > 0) {
+        if (p->sid_gain == 0) {
+            t = 0;
+        } else if (shift >= 31 || (int32_t)((uint32_t)p->sid_gain << shift) >> shift != p->sid_gain) {
+            if (p->sid_gain < 0) t = INT32_MIN;
+            else                 t = INT32_MAX;
+        } else
+            t = p->sid_gain << shift;
+    }else
         t = p->sid_gain >> -shift;
     x = av_clipl_int32(t * (int64_t)cng_filt[0] >> 16);