[FFmpeg-devel] [PATCH 2/2] avcodec/binkaudio: Check sample_rate to avoid integer overflow

[Lynne]

Apr 19, 2020, 16:05 by michael at niedermayer.cc:

> Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
> Fixes: 19950/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_DCT_fuzzer-5765514337189888
>
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavcodec/binkaudio.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c
> index 64a08b8608..2df3dc645a 100644
> --- a/libavcodec/binkaudio.c
> +++ b/libavcodec/binkaudio.c
> @@ -106,6 +106,9 @@ static av_cold int decode_init(AVCodecContext *avctx)
>  avctx->sample_fmt = AV_SAMPLE_FMT_FLTP;
>  }
>  
> +    if (sample_rate >= INT_MAX)
> +        return AVERROR_INVALIDDATA;
> +
>  s->frame_len     = 1 << frame_len_bits;
>  s->overlap_len   = s->frame_len / 16;
>  s->block_size    = (s->frame_len - s->overlap_len) * s->channels;
>

Did you even bother to look at the checks you added in this decoder previously?
Specifically 11 lines above?

> if (sample_rate > INT_MAX / avctx->channels)
>     return AVERROR_INVALIDDATA;
> sample_rate  *= avctx->channels;

To start with the sample rate of the avctx is already checked in utils.c, and you
still haven't cleaned up any decoders from the checks made unnecessary by you,
so am reminding you again to clean up the codebase by getting rid of them.
At least you might get to clean the codebase for once rather than adding crap like this.

So there's only the branch which I quoted that's needed to be fixed, and since there's a
check there already, there's no reason to have a check here as well.