[FFmpeg-devel] [PATCH 1/5] avcodec/binkaudio: Check sample rate
Michael Niedermayer
michael at niedermayer.cc
Wed Oct 16 20:54:25 EEST 2019
On Tue, Oct 15, 2019 at 08:44:23PM +1100, Peter Ross wrote:
> On Mon, Oct 14, 2019 at 10:06:55PM +0200, Michael Niedermayer wrote:
> > On Sun, Oct 13, 2019 at 10:51:49AM +1100, Peter Ross wrote:
> > > On Sat, Oct 12, 2019 at 06:53:05PM -0300, James Almer wrote:
> > > > On 10/12/2019 5:47 PM, Michael Niedermayer wrote:
> > > > > On Fri, Oct 11, 2019 at 08:51:54PM +1100, Peter Ross wrote:
> > > > >> On Fri, Oct 11, 2019 at 12:40:07AM +0200, Michael Niedermayer wrote:
> > > > >>> Fixes: signed integer overflow: 1092624416 * 2 cannot be represented in type 'int'
> > > > >>> Fixes: 18045/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_RDFT_fuzzer-5718519492116480
> > > > >>>
> > > > >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > > >>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > > >>> ---
> > > > >>> libavcodec/binkaudio.c | 2 ++
> > > > >>> 1 file changed, 2 insertions(+)
> > > > >>>
> > > > >>> diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c
> > > > >>> index 96cf968c66..2384ebf312 100644
> > > > >>> --- a/libavcodec/binkaudio.c
> > > > >>> +++ b/libavcodec/binkaudio.c
> > > > >>> @@ -95,6 +95,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
> > > > >>> if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) {
> > > > >>> // audio is already interleaved for the RDFT format variant
> > > > >>> avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
> > > > >>> + if (sample_rate > INT_MAX / avctx->channels)
> > > > >>> + return AVERROR_INVALIDDATA;
> > > > >>> sample_rate *= avctx->channels;
> > > > >>> s->channels = 1;
> > > > >>> if (!s->version_b)
> > > > >>> --
> > > > >>> 2.23.0
> > > > >>
> > > > >> i think this checl belongs inside the fuzzer test harness, or as a general
> > > > >> purpose codec check.
> > > > >>
> > > > >> the bink and smaker demuxers will only ever use BINKAUDIO_RDFT with 1 or 2 channels.
> > > > >
> > > > > In the case of the overflow channels was 2
> > > > >
> > > > > what check do you suggest to be done in general code ?
> > > > > A check specific to the fuzzer would fail to prevent this from happening
> > > > > outside the fuzzer
> > >
> > > fair enough, approve patch.
> > >
> > > > Judging by the bink demuxer reading 16 bits for sample_rate, I assume
> > > > binkaudio has a max valid value for it, like 44k or 48k, in which case a
> > > > check like the one for channels at the beginning of this function would
> > > > be the proper non general code fix. If not one of those two values, then
> > > > just <= UINT16_MAX.
> > >
> > > the bink demuxer supplied sample_reate is 16-bits wide, smacker is 24-bits.
> > > the error can never happen when using ffmpeg+libavformat+libavcodec to play any
> > > bink or smacker files, but i guess we need to account for other use cases.
> >
> > do you prefer the original patch or a check based on the maximum the current
> > demuxers can inject (24bits) ?
>
> original one is good.
ok will apply that
thanks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Freedom in capitalist society always remains about the same as it was in
ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20191016/4602e32f/attachment.sig>
More information about the ffmpeg-devel
mailing list