Message ID | 20191022142704.8818-1-michael@niedermayer.cc |
---|---|
State | Superseded |
Headers | show |
This code is dead and nonfunctional and should be removed ASAP! On 10/22/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: signed integer overflow: 1721520852 + 1721520852 cannot be > represented in type 'int' > Fixes: > 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/sonic.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c > index 34d2952e69..b890d79c28 100644 > --- a/libavcodec/sonic.c > +++ b/libavcodec/sonic.c > @@ -144,6 +144,8 @@ static inline av_flatten int get_symbol(RangeCoder *c, > uint8_t *state, int is_si > e= 0; > while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 > e++; > + if (e > 31) > + return AVERROR_INVALIDDATA; > } > > a= 1; > -- > 2.23.0 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
On Tue, Oct 22, 2019 at 04:56:27PM +0200, Paul B Mahol wrote: > This code is dead and nonfunctional and should be removed ASAP! Its in several releases, which need this fix Even if it where removed from git master they still would need the fix > > On 10/22/19, Michael Niedermayer <michael@niedermayer.cc> wrote: > > Fixes: signed integer overflow: 1721520852 + 1721520852 cannot be > > represented in type 'int' > > Fixes: > > 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/sonic.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c > > index 34d2952e69..b890d79c28 100644 > > --- a/libavcodec/sonic.c > > +++ b/libavcodec/sonic.c > > @@ -144,6 +144,8 @@ static inline av_flatten int get_symbol(RangeCoder *c, > > uint8_t *state, int is_si > > e= 0; > > while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 > > e++; > > + if (e > 31) > > + return AVERROR_INVALIDDATA; > > } > > > > a= 1; > > -- > > 2.23.0 > > > > _______________________________________________ > > ffmpeg-devel mailing list > > ffmpeg-devel@ffmpeg.org > > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > > > To unsubscribe, visit link above, or email > > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c index 34d2952e69..b890d79c28 100644 --- a/libavcodec/sonic.c +++ b/libavcodec/sonic.c @@ -144,6 +144,8 @@ static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si e= 0; while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10 e++; + if (e > 31) + return AVERROR_INVALIDDATA; } a= 1;
Fixes: signed integer overflow: 1721520852 + 1721520852 cannot be represented in type 'int' Fixes: 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/sonic.c | 2 ++ 1 file changed, 2 insertions(+)