Fix undefined behavior due to negative bitshifting.

Reported externally here:
http://www.viva64.com/en/b/0205/

Relevant C++ spec:
The value of E1 << E2 is E1 left-shifted E2 bit positions; vacated bits
are zero-filled. If E1 has an unsigned type, the value of the result is
E1 × 2E^2, reduced modulo one more than the maximum value representable
in the result type. Otherwise, if E1 has a signed type and non-negative
value, and E1×2E^2 is representable in the result type, then that is the
resulting value; otherwise, the behavior is undefined.

BUG=271530
TEST=media_unittests

Review URL: https://chromiumcodereview.appspot.com/22950002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@217307 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 3 insertions, 1 deletions

diff --git a/media/webm/webm_cluster_parser.cc b/media/webm/webm_cluster_parser.cc
index f83a365..9991d6b 100644
--- a/media/webm/webm_cluster_parser.cc
+++ b/media/webm/webm_cluster_parser.cc
@@ -214,7 +214,7 @@ bool WebMClusterParser::ParseBlock(bool is_simple_block, const uint8* buf,
 
   // Sign extend negative timecode offsets.
   if (timecode & 0x8000)
-    timecode |= (-1 << 16);
+    timecode |= ~0xffff;
 
   const uint8* frame_data = buf + 4;
   int frame_size = size - (frame_data - buf);
@@ -277,6 +277,8 @@ bool WebMClusterParser::OnBlock(bool is_simple_block, int track_num,
     return false;
   }
 
+  // TODO(acolwell): Should relative negative timecode offsets be rejected?  Or
+  // only when the absolute timecode is negative?  See http://crbug.com/271794
   if (timecode < 0) {
     MEDIA_LOG(log_cb_) << "Got a block with negative timecode offset "
                        << timecode;