On 10/12/2019 5:47 PM, Michael Niedermayer wrote:
> On Fri, Oct 11, 2019 at 08:51:54PM +1100, Peter Ross wrote:
>> On Fri, Oct 11, 2019 at 12:40:07AM +0200, Michael Niedermayer wrote:
>>> Fixes: signed integer overflow: 1092624416 * 2 cannot be represented in 
>>> type 'int'
>>> Fixes: 
>>> 18045/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BINKAUDIO_RDFT_fuzzer-5718519492116480
>>>
>>> Found-by: continuous fuzzing process 
>>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
>>> ---
>>>  libavcodec/binkaudio.c | 2 ++
>>>  1 file changed, 2 insertions(+)
>>>
>>> diff --git a/libavcodec/binkaudio.c b/libavcodec/binkaudio.c
>>> index 96cf968c66..2384ebf312 100644
>>> --- a/libavcodec/binkaudio.c
>>> +++ b/libavcodec/binkaudio.c
>>> @@ -95,6 +95,8 @@ static av_cold int decode_init(AVCodecContext *avctx)
>>>      if (avctx->codec->id == AV_CODEC_ID_BINKAUDIO_RDFT) {
>>>          // audio is already interleaved for the RDFT format variant
>>>          avctx->sample_fmt = AV_SAMPLE_FMT_FLT;
>>> +        if (sample_rate > INT_MAX / avctx->channels)
>>> +            return AVERROR_INVALIDDATA;
>>>          sample_rate  *= avctx->channels;
>>>          s->channels = 1;
>>>          if (!s->version_b)
>>> -- 
>>> 2.23.0
>>
>> i think this checl belongs inside the fuzzer test harness, or as a general
>> purpose codec check.
>>
>> the bink and smaker demuxers will only ever use BINKAUDIO_RDFT with 1 or 2 
>> channels.
> 
> In the case of the overflow channels was 2
> 
> what check do you suggest to be done in general code ?
> A check specific to the fuzzer would fail to prevent this from happening
> outside the fuzzer
> 
> Thanks

Judging by the bink demuxer reading 16 bits for sample_rate, I assume
binkaudio has a max valid value for it, like 44k or 48k, in which case a
check like the one for channels at the beginning of this function would
be the proper non general code fix. If not one of those two values, then
just <= UINT16_MAX.
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to