[FFmpeg-devel] [PATCH 3/7] avcodec/alsdec: Fix integer overflow with buffer number
Michael Niedermayer
michael at niedermayer.cc
Sat Jul 6 23:10:44 EEST 2019
On Sat, Jul 06, 2019 at 09:39:32PM +0200, Thilo Borgmann wrote:
> Am 21.06.19 um 09:00 schrieb Reimar Döffinger:
> >
> >
> > On 21.06.2019, at 00:47, Michael Niedermayer <michael at niedermayer.cc> wrote:
> >
> >> Fixes: signed integer overflow: 65313 * 65313 cannot be represented in type 'int'
> >> Fixes: 15290/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5738074249625600
> >>
> >> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> >> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> >> ---
> >> libavcodec/alsdec.c | 2 ++
> >> 1 file changed, 2 insertions(+)
> >>
> >> diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
> >> index 79d22b7c2b..8e0d3e5f83 100644
> >> --- a/libavcodec/alsdec.c
> >> +++ b/libavcodec/alsdec.c
> >> @@ -1990,6 +1990,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
> >>
> >> // allocate quantized parcor coefficient buffer
> >> num_buffers = sconf->mc_coding ? avctx->channels : 1;
> >> + if (num_buffers * (uint64_t)num_buffers > INT_MAX)
> >> + return AVERROR_INVALIDDATA;
> >
> > It would be nice if it was clear which code this check protects, i.e. some connection between the check and the code that overflows.
> > I guess one might also ask if > 30 000 channels might not be something to catch and disallow earlier and generally...
>
> AFAICT the specs allow all 16 bit aka 65536 (+1) channels. For the case that remark from Raimar had been addressed..
its the chan_data_buffer allocation. Ill add a comment
>
> The rest lgtm. I would appreciate s.o. bumping me if I miss something about ALS on devel, pls 0:-)
not sure i understand the abbreviation but i will apply the patchset as it
seems, thats the consensus and ill try to ping you in the future of als patches unless
i forget ... sadly i tend to forget these things ...
Thanks
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
What does censorship reveal? It reveals fear. -- Julian Assange
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190706/d4f76c8f/attachment.sig>
More information about the ffmpeg-devel
mailing list