On 10/12/2019 5:47 PM, Michael Niedermayer wrote: > On Fri, Oct 11, 2019 at 08:51:54PM +1100, Peter Ross wrote: >> On Fri, Oct 11, 2019 at 12:40:07AM +0200, Michael Niedermayer wrote: >>> Fixes: signed integer overflow: 1092624416 * 2 cannot be represented in >>> type 'int' >>> Fixes: >>> 18045/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_RDFT_fuzzer-5718519492116480 >>> >>> Found-by: continuous fuzzing process >>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg >>> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> >>> --- >>> libavcodec/binkaudio.c | 2 ++ >>> 1 file changed, 2 insertions(+) >>> >>> diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c >>> index 96cf968c66..2384ebf312 100644 >>> --- a/libavcodec/binkaudio.c >>> +++ b/libavcodec/binkaudio.c >>> @@ -95,6 +95,8 @@ static av_cold int decode_init(AVCodecContext *avctx) >>> if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) { >>> // audio is already interleaved for the RDFT format variant >>> avctx->sample_fmt = AV_SAMPLE_FMT_FLT; >>> + if (sample_rate > INT_MAX / avctx->channels) >>> + return AVERROR_INVALIDDATA; >>> sample_rate *= avctx->channels; >>> s->channels = 1; >>> if (!s->version_b) >>> -- >>> 2.23.0 >> >> i think this checl belongs inside the fuzzer test harness, or as a general >> purpose codec check. >> >> the bink and smaker demuxers will only ever use BINKAUDIO_RDFT with 1 or 2 >> channels. > > In the case of the overflow channels was 2 > > what check do you suggest to be done in general code ? > A check specific to the fuzzer would fail to prevent this from happening > outside the fuzzer > > Thanks
Judging by the bink demuxer reading 16 bits for sample_rate, I assume binkaudio has a max valid value for it, like 44k or 48k, in which case a check like the one for channels at the beginning of this function would be the proper non general code fix. If not one of those two values, then just <= UINT16_MAX. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".