From 2b93f52cd635f372b7b22396939e840c63e8edf3 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 27 Sep 2019 17:01:38 +0200
Subject: [PATCH] avcodec/lsp: Fix undefined shifts in lsp2poly()

Fixes: left shift of negative value -30635
Fixes: 17689/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ACELP_KELVIN_fuzzer-5756275014500352

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/lsp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/lsp.c b/libavcodec/lsp.c
index 9aba020ebb..fb4da47894 100644
--- a/libavcodec/lsp.c
+++ b/libavcodec/lsp.c
@@ -108,7 +108,7 @@ static void lsp2poly(int* f, const int16_t* lsp, int lp_half_order)
     int i, j;
 
     f[0] = 0x400000;          // 1.0 in (3.22)
-    f[1] = -lsp[0] << 8;      // *2 and (0.15) -> (3.22)
+    f[1] = -lsp[0] * 256;     // *2 and (0.15) -> (3.22)
 
     for(i=2; i<=lp_half_order; i++)
     {
@@ -116,7 +116,7 @@ static void lsp2poly(int* f, const int16_t* lsp, int lp_half_order)
         for(j=i; j>1; j--)
             f[j] -= MULL(f[j-1], lsp[2*i-2], FRAC_BITS) - f[j-2];
 
-        f[1] -= lsp[2*i-2] << 8;
+        f[1] -= lsp[2*i-2] * 256;
     }
 }