Re: [FFmpeg-trac] #11686(swscale:new): [Security] signed integer overflow on libswscale/output.c

[FFmpeg]

#11686: [Security] signed integer overflow on libswscale/output.c
-------------------------------------+-------------------------------------
             Reporter:  flyfish101   |                    Owner:  (none)
                 Type:  defect       |                   Status:  new
             Priority:  important    |                Component:  swscale
              Version:  git-master   |               Resolution:
             Keywords:  swscale ,    |               Blocked By:
  overflow                           |
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
Changes (by flyfish101):

 * priority:  critical => important


Old description:

> Summary of the bug:
> signed integer overflow
>
> poc:
> [https://drive.google.com/file/d/1afws3WCzvRBc213jnIMfz_96MFNglGzd/view?usp=sharing]
>
> fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout$
> ./target_sws_fuzzer /home/fuzz/Desktop/langgraph/testpro/AFL-
> Agent/utils_c_389
> Reading 339 bytes from /home/fuzz/Desktop/langgraph/testpro/AFL-
> Agent/utils_c_389
> 2 x 3 yuva420p10le -> 26 x 3 bgra64le
> libswscale/output.c:1325:33: runtime error: signed integer overflow:
> -3421696 * 2048 cannot be represented in type 'int'
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/output.c:1325:33 in
> libswscale/output.c:1325:55: runtime error: signed integer overflow:
> -3421696 * 2048 cannot be represented in type 'int'
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/output.c:1325:55 in
> libswscale/output.c:1325:44: runtime error: signed integer overflow:
> 1582301184 + 1582301184 cannot be represented in type 'int'
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/output.c:1325:44 in
> libswscale/output.c:1325:65: runtime error: signed integer overflow:
> -1130364928 - 1073741824 cannot be represented in type 'int'
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/output.c:1325:65 in
> libswscale/output.c:1326:55: runtime error: signed integer overflow:
> -3487744 * 2048 cannot be represented in type 'int'
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/output.c:1326:55 in
> libswscale/output.c:1326:44: runtime error: signed integer overflow:
> 1073739776 + 1447034880 cannot be represented in type 'int'
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/output.c:1326:44 in
> libswscale/output.c:1326:65: runtime error: signed integer overflow:
> -1774192640 - 1073741824 cannot be represented in type 'int'
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libswscale/output.c:1326:65 in
> Execution successful.

New description:

 Summary of the bug:
 signed integer overflow

 version: 722a2170e83231283fc74bede495b3b4ee9591ac
 OS: Ubuntu 20.04LTS
 Compiler: clang-14

 poc:
 
[https://drive.google.com/file/d/1afws3WCzvRBc213jnIMfz_96MFNglGzd/view?usp=sharing]

 fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout$
 ./target_sws_fuzzer /home/fuzz/Desktop/langgraph/testpro/AFL-
 Agent/utils_c_389
 Reading 339 bytes from /home/fuzz/Desktop/langgraph/testpro/AFL-
 Agent/utils_c_389
 2 x 3 yuva420p10le -> 26 x 3 bgra64le
 libswscale/output.c:1325:33: runtime error: signed integer overflow:
 -3421696 * 2048 cannot be represented in type 'int'
 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
 libswscale/output.c:1325:33 in
 libswscale/output.c:1325:55: runtime error: signed integer overflow:
 -3421696 * 2048 cannot be represented in type 'int'
 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
 libswscale/output.c:1325:55 in
 libswscale/output.c:1325:44: runtime error: signed integer overflow:
 1582301184 + 1582301184 cannot be represented in type 'int'
 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
 libswscale/output.c:1325:44 in
 libswscale/output.c:1325:65: runtime error: signed integer overflow:
 -1130364928 - 1073741824 cannot be represented in type 'int'
 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
 libswscale/output.c:1325:65 in
 libswscale/output.c:1326:55: runtime error: signed integer overflow:
 -3487744 * 2048 cannot be represented in type 'int'
 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
 libswscale/output.c:1326:55 in
 libswscale/output.c:1326:44: runtime error: signed integer overflow:
 1073739776 + 1447034880 cannot be represented in type 'int'
 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
 libswscale/output.c:1326:44 in
 libswscale/output.c:1326:65: runtime error: signed integer overflow:
 -1774192640 - 1073741824 cannot be represented in type 'int'
 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
 libswscale/output.c:1326:65 in
 Execution successful.

--
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11686#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

_______________________________________________
FFmpeg-trac mailing list
FFmpeg-trac@avcodec.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-trac

To unsubscribe, visit link above, or email
ffmpeg-trac-requ...@ffmpeg.org with subject "unsubscribe".