four out-of-bound bugs in g729dec.c and g729postfilter.c

[Suhwan]

Summary of the bug:
There're 4 out of bounds bugs in g729dec.c and g729postfilter.c and 10 left shift of negative value bugs in libavcodec/lsp.c and libavcodec/g729postfilter.c

libavcodec/lsp.c:111:20: runtime error: left shift of negative value -31132
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/lsp.c:111:20 in 
libavcodec/lsp.c:119:28: runtime error: left shift of negative value -9097
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/lsp.c:119:28 in 
libavcodec/g729postfilter.c:503:58: runtime error: left shift of negative value -1743
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/g729postfilter.c:503:58 in 
libavcodec/g729postfilter.c:159:41: runtime error: left shift of negative value -1
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/g729postfilter.c:159:41 in 
libavcodec/g729postfilter.c:503:28: runtime error: left shift of negative value -11
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/g729postfilter.c:503:28 in 
libavcodec/g729dec.c:555:45: runtime error: index 62 out of bounds for type 'int16_t [40]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/g729dec.c:555:45 in 
libavcodec/g729dec.c:556:45: runtime error: index 62 out of bounds for type 'int16_t [40]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/g729dec.c:556:45 in 
libavcodec/g729postfilter.c:204:65: runtime error: index -61 out of bounds for type 'int16_t [192]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/g729postfilter.c:204:65 in 
libavcodec/g729postfilter.c:205:64: runtime error: index -61 out of bounds for type 'int16_t [192]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/g729postfilter.c:205:64 in 
libavcodec/g729postfilter.c:509:24: runtime error: left shift of negative value -14
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/g729postfilter.c:509:24 in 
libavcodec/g729postfilter.c:509:54: runtime error: left shift of negative value -23520
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/g729postfilter.c:509:54 in 
libavcodec/g729postfilter.c:349:49: runtime error: left shift of negative value -1
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/g729postfilter.c:349:49 in 
libavcodec/g729postfilter.c:370:36: runtime error: left shift of negative value -55
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/g729postfilter.c:370:36 in 
libavcodec/g729postfilter.c:467:18: runtime error: left shift of negative value -338
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/g729postfilter.c:467:18 in

How to reproduce:

% ffmpeg_g -stream_loop 25 -y -r 110 -i rec09.act -loglevel 0 -map 0 -aframes 52 -ar 22050 -ac 14 -b:v 786k -strict 3 tmp.ogg

ffmpeg version N-94961-g1d86e4b3eb Copyright (c) 2000-2019 the FFmpeg developers
  built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
  configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-usan

[Suhwan]

poc

[Michael Niedermayer]

This had some overlap with ossfuzz issue 17689 which was fixed in 6a4fdbf112385824fc9b7d7739685359213b579a 0c61661a2cbe1b8b284c80ada1c2fdddf4992cad 2b93f52cd635f372b7b22396939e840c63e8edf3
Ill post a fix for the remaining issues for this ticket to ffmpeg-devel

[Carl Eugen Hoyos]

Fixed by Michael in 5f0acc5064ed501cb40d4aaccae2b3ce5c4552fd and 2c78a76cb0443f8a12a5eadc3b58373aa2f4ab22