[FFmpeg-devel] [PATCH 1/5] avcodec/binkaudio: Check sample rate

Wed Oct 16 20:54:25 EEST 2019

On Tue, Oct 15, 2019 at 08:44:23PM +1100, Peter Ross wrote:
> On Mon, Oct 14, 2019 at 10:06:55PM +0200, Michael Niedermayer wrote:
> > On Sun, Oct 13, 2019 at 10:51:49AM +1100, Peter Ross wrote:
> > > On Sat, Oct 12, 2019 at 06:53:05PM -0300, James Almer wrote:
> > > > On 10/12/2019 5:47 PM, Michael Niedermayer wrote:
> > > > > On Fri, Oct 11, 2019 at 08:51:54PM +1100, Peter Ross wrote:
> > > > >> On Fri, Oct 11, 2019 at 12:40:07AM +0200, Michael Niedermayer wrote:
> > > > >>> Fixes: signed integer overflow: 1092624416 * 2 cannot be represented in type 'int'
> > > > >>> Fixes: 18045/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_RDFT_fuzzer-5718519492116480
> > > > >>>
> > > > >>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > > > >>> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > > > >>> ---
> > > > >>>  libavcodec/binkaudio.c | 2 ++
> > > > >>>  1 file changed, 2 insertions(+)
> > > > >>>
> > > > >>> diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c
> > > > >>> index 96cf968c66..2384ebf312 100644
> > > > >>> --- a/libavcodec/binkaudio.c
> > > > >>> +++ b/libavcodec/binkaudio.c
> > > > >>> @@ -95,6 +95,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
> > > > >>>      if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) {
> > > > >>>          // audio is already interleaved for the RDFT format variant
> > > > >>>          avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
> > > > >>> +        if (sample_rate > INT_MAX / avctx->channels)
> > > > >>> +            return AVERROR_INVALIDDATA;
> > > > >>>          sample_rate  *= avctx->channels;
> > > > >>>          s->channels = 1;
> > > > >>>          if (!s->version_b)
> > > > >>> -- 
> > > > >>> 2.23.0
> > > > >>
> > > > >> i think this checl belongs inside the fuzzer test harness, or as a general
> > > > >> purpose codec check.
> > > > >>
> > > > >> the bink and smaker demuxers will only ever use BINKAUDIO_RDFT with 1 or 2 channels.
> > > > > 
> > > > > In the case of the overflow channels was 2
> > > > > 
> > > > > what check do you suggest to be done in general code ?
> > > > > A check specific to the fuzzer would fail to prevent this from happening
> > > > > outside the fuzzer
> > > 
> > > fair enough, approve patch.
> > > 
> > > > Judging by the bink demuxer reading 16 bits for sample_rate, I assume
> > > > binkaudio has a max valid value for it, like 44k or 48k, in which case a
> > > > check like the one for channels at the beginning of this function would
> > > > be the proper non general code fix. If not one of those two values, then
> > > > just <= UINT16_MAX.
> > > 
> > > the bink demuxer supplied sample_reate is 16-bits wide, smacker is 24-bits.
> > > the error can never happen when using ffmpeg+libavformat+libavcodec to play any
> > > bink or smacker files, but i guess we need to account for other use cases.
> > 
> > do you prefer the original patch or a check based on the maximum the current
> > demuxers can inject (24bits) ?
> 
> original one is good.

ok will apply that

thanks

[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Freedom in capitalist society always remains about the same as it was in
ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20191016/4602e32f/attachment.sig>