Re: [FFmpeg-devel] [PATCH 4/4] avformat/vividas: Fixes overflow in shift in recover_key()
On Sat, Jun 29, 2019 at 05:44:21AM +0200, Reimar Döffinger wrote: > > > On 28.06.2019, at 22:53, Michael Niedermayer wrote: > > > Fixes: left shift of 133 by 24 places cannot be represented in type 'int' > > Fixes: > > 15365/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5716153105645568 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer > > --- > > libavformat/vividas.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavformat/vividas.c b/libavformat/vividas.c > > index 753328245d..ed2eaea633 100644 > > --- a/libavformat/vividas.c > > +++ b/libavformat/vividas.c > > @@ -118,7 +118,7 @@ static unsigned recover_key(unsigned char sample[4], > > unsigned expected_size) > > return (sample[0]^plaintext[0])| > > ((sample[1]^plaintext[1])<<8)| > > ((sample[2]^plaintext[2])<<16)| > > -((sample[3]^plaintext[3])<<24); > > +((unsigned)(sample[3]^plaintext[3])<<24); > > Shouldn't this just be > return AV_RL32(sample) ^ AV_RL32(plaintext); > ? yes, will change it to this thx > If so, the code might be worthy of review for more needless > overcomplication... > ___ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe". -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The smallest minority on earth is the individual. Those who deny individual rights cannot claim to be defenders of minorities. - Ayn Rand signature.asc Description: PGP signature ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 4/4] avformat/vividas: Fixes overflow in shift in recover_key()
On 28.06.2019, at 22:53, Michael Niedermayer wrote: > Fixes: left shift of 133 by 24 places cannot be represented in type 'int' > Fixes: > 15365/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5716153105645568 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer > --- > libavformat/vividas.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavformat/vividas.c b/libavformat/vividas.c > index 753328245d..ed2eaea633 100644 > --- a/libavformat/vividas.c > +++ b/libavformat/vividas.c > @@ -118,7 +118,7 @@ static unsigned recover_key(unsigned char sample[4], > unsigned expected_size) > return (sample[0]^plaintext[0])| > ((sample[1]^plaintext[1])<<8)| > ((sample[2]^plaintext[2])<<16)| > -((sample[3]^plaintext[3])<<24); > +((unsigned)(sample[3]^plaintext[3])<<24); Shouldn't this just be return AV_RL32(sample) ^ AV_RL32(plaintext); ? If so, the code might be worthy of review for more needless overcomplication... ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 4/4] avformat/vividas: Fixes overflow in shift in recover_key()
Fixes: left shift of 133 by 24 places cannot be represented in type 'int' Fixes: 15365/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5716153105645568 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavformat/vividas.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavformat/vividas.c b/libavformat/vividas.c index 753328245d..ed2eaea633 100644 --- a/libavformat/vividas.c +++ b/libavformat/vividas.c @@ -118,7 +118,7 @@ static unsigned recover_key(unsigned char sample[4], unsigned expected_size) return (sample[0]^plaintext[0])| ((sample[1]^plaintext[1])<<8)| ((sample[2]^plaintext[2])<<16)| -((sample[3]^plaintext[3])<<24); +((unsigned)(sample[3]^plaintext[3])<<24); } static void xor_block(void *p1, void *p2, unsigned size, int key, unsigned *key_ptr) -- 2.22.0 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".