[FFmpeg-devel] [PATCH 1/5] avcodec/binkaudio: Check sample rate
Peter Ross
pross at xvid.org
Tue Oct 15 12:44:23 EEST 2019
On Mon, Oct 14, 2019 at 10:06:55PM +0200, Michael Niedermayer wrote:
> On Sun, Oct 13, 2019 at 10:51:49AM +1100, Peter Ross wrote:
> > On Sat, Oct 12, 2019 at 06:53:05PM -0300, James Almer wrote:
> > > On 10/12/2019 5:47 PM, Michael Niedermayer wrote:
> > > > On Fri, Oct 11, 2019 at 08:51:54PM +1100, Peter Ross wrote:
> > > >> On Fri, Oct 11, 2019 at 12:40:07AM +0200, Michael Niedermayer wrote:
> > > >>> Fixes: signed integer overflow: 1092624416 * 2 cannot be represented in type 'int'
> > > >>> Fixes: 18045/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_RDFT_fuzzer-5718519492116480
> > > >>>
> > > >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > >>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > >>> ---
> > > >>> libavcodec/binkaudio.c | 2 ++
> > > >>> 1 file changed, 2 insertions(+)
> > > >>>
> > > >>> diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c
> > > >>> index 96cf968c66..2384ebf312 100644
> > > >>> --- a/libavcodec/binkaudio.c
> > > >>> +++ b/libavcodec/binkaudio.c
> > > >>> @@ -95,6 +95,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
> > > >>> if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) {
> > > >>> // audio is already interleaved for the RDFT format variant
> > > >>> avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
> > > >>> + if (sample_rate > INT_MAX / avctx->channels)
> > > >>> + return AVERROR_INVALIDDATA;
> > > >>> sample_rate *= avctx->channels;
> > > >>> s->channels = 1;
> > > >>> if (!s->version_b)
> > > >>> --
> > > >>> 2.23.0
> > > >>
> > > >> i think this checl belongs inside the fuzzer test harness, or as a general
> > > >> purpose codec check.
> > > >>
> > > >> the bink and smaker demuxers will only ever use BINKAUDIO_RDFT with 1 or 2 channels.
> > > >
> > > > In the case of the overflow channels was 2
> > > >
> > > > what check do you suggest to be done in general code ?
> > > > A check specific to the fuzzer would fail to prevent this from happening
> > > > outside the fuzzer
> >
> > fair enough, approve patch.
> >
> > > Judging by the bink demuxer reading 16 bits for sample_rate, I assume
> > > binkaudio has a max valid value for it, like 44k or 48k, in which case a
> > > check like the one for channels at the beginning of this function would
> > > be the proper non general code fix. If not one of those two values, then
> > > just <= UINT16_MAX.
> >
> > the bink demuxer supplied sample_reate is 16-bits wide, smacker is 24-bits.
> > the error can never happen when using ffmpeg+libavformat+libavcodec to play any
> > bink or smacker files, but i guess we need to account for other use cases.
>
> do you prefer the original patch or a check based on the maximum the current
> demuxers can inject (24bits) ?
original one is good.
-- Peter
(A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20191015/03f007d2/attachment.sig>
More information about the ffmpeg-devel
mailing list