Fix fuzzer-found overflow in AGC1
Much like https://bugs.chromium.org/p/chromium/issues/detail?id=855900,
the int32 gain table isn't always small enough for plain multiplication
with an int16.
This appears fixable through regular fixed-point arithmetic (multiply
out[i][n] by integer and fractional part of gain separately), but it's
less readable.
Bug: chromium:858989
Change-Id: Ie5aac25fd0cca4e51858cba69bde06c54a5d31bf
Reviewed-on: https://webrtc-review.googlesource.com/86602
Reviewed-by: Alex Loiko <aleloi@webrtc.org>
Commit-Queue: Sam Zackrisson <saza@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#23815}diff --git a/modules/audio_processing/agc/legacy/digital_agc.c b/modules/audio_processing/agc/legacy/digital_agc.c
index 62787df..f3c1cf7 100644
--- a/modules/audio_processing/agc/legacy/digital_agc.c
+++ b/modules/audio_processing/agc/legacy/digital_agc.c
@@ -504,18 +504,16 @@
// iterate over samples
for (n = 0; n < L; n++) {
for (i = 0; i < num_bands; ++i) {
- tmp32 = out[i][n] * ((gain32 + 127) >> 7);
- out_tmp = tmp32 >> 16;
+ out_tmp = (int64_t)out[i][n] * ((gain32 + 127) >> 7) >> 16;
if (out_tmp > 4095) {
out[i][n] = (int16_t)32767;
} else if (out_tmp < -4096) {
out[i][n] = (int16_t)-32768;
} else {
- tmp32 = out[i][n] * (gain32 >> 4);
- out[i][n] = (int16_t)(tmp32 >> 16);
+ tmp32 = ((int64_t)out[i][n] * (gain32 >> 4)) >> 16;
+ out[i][n] = (int16_t)tmp32;
}
}
- //
gain32 += delta;
}