[FFmpeg-devel] [PATCH 1/5] avcodec/binkaudio: Check sample rate

Michael Niedermayer michael at niedermayer.cc
Mon Oct 14 23:06:55 EEST 2019


On Sun, Oct 13, 2019 at 10:51:49AM +1100, Peter Ross wrote:
> On Sat, Oct 12, 2019 at 06:53:05PM -0300, James Almer wrote:
> > On 10/12/2019 5:47 PM, Michael Niedermayer wrote:
> > > On Fri, Oct 11, 2019 at 08:51:54PM +1100, Peter Ross wrote:
> > >> On Fri, Oct 11, 2019 at 12:40:07AM +0200, Michael Niedermayer wrote:
> > >>> Fixes: signed integer overflow: 1092624416 * 2 cannot be represented in type 'int'
> > >>> Fixes: 18045/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_RDFT_fuzzer-5718519492116480
> > >>>
> > >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > >>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > >>> ---
> > >>>  libavcodec/binkaudio.c | 2 ++
> > >>>  1 file changed, 2 insertions(+)
> > >>>
> > >>> diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c
> > >>> index 96cf968c66..2384ebf312 100644
> > >>> --- a/libavcodec/binkaudio.c
> > >>> +++ b/libavcodec/binkaudio.c
> > >>> @@ -95,6 +95,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
> > >>>      if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) {
> > >>>          // audio is already interleaved for the RDFT format variant
> > >>>          avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
> > >>> +        if (sample_rate > INT_MAX / avctx->channels)
> > >>> +            return AVERROR_INVALIDDATA;
> > >>>          sample_rate  *= avctx->channels;
> > >>>          s->channels = 1;
> > >>>          if (!s->version_b)
> > >>> -- 
> > >>> 2.23.0
> > >>
> > >> i think this checl belongs inside the fuzzer test harness, or as a general
> > >> purpose codec check.
> > >>
> > >> the bink and smaker demuxers will only ever use BINKAUDIO_RDFT with 1 or 2 channels.
> > > 
> > > In the case of the overflow channels was 2
> > > 
> > > what check do you suggest to be done in general code ?
> > > A check specific to the fuzzer would fail to prevent this from happening
> > > outside the fuzzer
> 
> fair enough, approve patch.
> 
> > Judging by the bink demuxer reading 16 bits for sample_rate, I assume
> > binkaudio has a max valid value for it, like 44k or 48k, in which case a
> > check like the one for channels at the beginning of this function would
> > be the proper non general code fix. If not one of those two values, then
> > just <= UINT16_MAX.
> 
> the bink demuxer supplied sample_reate is 16-bits wide, smacker is 24-bits.
> the error can never happen when using ffmpeg+libavformat+libavcodec to play any
> bink or smacker files, but i guess we need to account for other use cases.

do you prefer the original patch or a check based on the maximum the current
demuxers can inject (24bits) ?

thx

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Dictatorship naturally arises out of democracy, and the most aggravated
form of tyranny and slavery out of the most extreme liberty. -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20191014/60dd6371/attachment.sig>


More information about the ffmpeg-devel mailing list