[FFmpeg-devel] [PATCH 1/5] avcodec/binkaudio: Check sample rate
James Almer
jamrial at gmail.com
Sun Oct 13 00:53:05 EEST 2019
On 10/12/2019 5:47 PM, Michael Niedermayer wrote:
> On Fri, Oct 11, 2019 at 08:51:54PM +1100, Peter Ross wrote:
>> On Fri, Oct 11, 2019 at 12:40:07AM +0200, Michael Niedermayer wrote:
>>> Fixes: signed integer overflow: 1092624416 * 2 cannot be represented in type 'int'
>>> Fixes: 18045/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_RDFT_fuzzer-5718519492116480
>>>
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
>>> ---
>>> libavcodec/binkaudio.c | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c
>>> index 96cf968c66..2384ebf312 100644
>>> --- a/libavcodec/binkaudio.c
>>> +++ b/libavcodec/binkaudio.c
>>> @@ -95,6 +95,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
>>> if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) {
>>> // audio is already interleaved for the RDFT format variant
>>> avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
>>> + if (sample_rate > INT_MAX / avctx->channels)
>>> + return AVERROR_INVALIDDATA;
>>> sample_rate *= avctx->channels;
>>> s->channels = 1;
>>> if (!s->version_b)
>>> --
>>> 2.23.0
>>
>> i think this checl belongs inside the fuzzer test harness, or as a general
>> purpose codec check.
>>
>> the bink and smaker demuxers will only ever use BINKAUDIO_RDFT with 1 or 2 channels.
>
> In the case of the overflow channels was 2
>
> what check do you suggest to be done in general code ?
> A check specific to the fuzzer would fail to prevent this from happening
> outside the fuzzer
>
> Thanks
Judging by the bink demuxer reading 16 bits for sample_rate, I assume
binkaudio has a max valid value for it, like 44k or 48k, in which case a
check like the one for channels at the beginning of this function would
be the proper non general code fix. If not one of those two values, then
just <= UINT16_MAX.
More information about the ffmpeg-devel
mailing list