diff mbox

[FFmpeg-devel,2/9] 4xm: prevent overflow during block alignment calculation

Message ID 38f981e9-5259-6197-3589-bd30d7238811@googlemail.com
State Accepted
Headers show

Commit Message

Andreas Cadhalpun Jan. 6, 2017, 8:27 p.m. UTC 
On 06.01.2017 20:58, Ronald S. Bultje wrote:
> Hi,
> 
> On Fri, Jan 6, 2017 at 2:47 PM, Andreas Cadhalpun <
> andreas.cadhalpun@googlemail.com> wrote:
> 
>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
>> ---
>>  libavformat/4xm.c | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/libavformat/4xm.c b/libavformat/4xm.c
>> index 2758b69d29..45949c4e97 100644
>> --- a/libavformat/4xm.c
>> +++ b/libavformat/4xm.c
>> @@ -187,6 +187,7 @@ static int parse_strk(AVFormatContext *s,
>>      st->codecpar->bit_rate              = (int64_t)st->codecpar->channels
>> *
>>                                            st->codecpar->sample_rate *
>>                                            st->codecpar->bits_per_coded_
>> sample;
>> +    FF_RETURN_ON_OVERFLOW(s, st->codecpar->channels &&
>> st->codecpar->bits_per_coded_sample > INT_MAX / st->codecpar->channels)
>>      st->codecpar->block_align           = st->codecpar->channels *
>>                                            st->codecpar->bits_per_coded_
>> sample;
>>
>> --
>> 2.11.0
> 
> 
> To an innocent reader (who doesn't know/care about SIGFPE), this might look
> like channels = 0 is an actual valid decoder condition that is explicitly
> handled here.

Actually this function errors out earlier if channels is zero, so I've removed
this pointless additional check. Updated patch is attached.

Best regards,
Andreas

Comments

Michael Niedermayer Jan. 7, 2017, 1:31 a.m. UTC | #1 
On Fri, Jan 06, 2017 at 09:27:29PM +0100, Andreas Cadhalpun wrote:
> On 06.01.2017 20:58, Ronald S. Bultje wrote:
> > Hi,
> > 
> > On Fri, Jan 6, 2017 at 2:47 PM, Andreas Cadhalpun <
> > andreas.cadhalpun@googlemail.com> wrote:
> > 
> >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
> >> ---
> >>  libavformat/4xm.c | 1 +
> >>  1 file changed, 1 insertion(+)
> >>
> >> diff --git a/libavformat/4xm.c b/libavformat/4xm.c
> >> index 2758b69d29..45949c4e97 100644
> >> --- a/libavformat/4xm.c
> >> +++ b/libavformat/4xm.c
> >> @@ -187,6 +187,7 @@ static int parse_strk(AVFormatContext *s,
> >>      st->codecpar->bit_rate              = (int64_t)st->codecpar->channels
> >> *
> >>                                            st->codecpar->sample_rate *
> >>                                            st->codecpar->bits_per_coded_
> >> sample;
> >> +    FF_RETURN_ON_OVERFLOW(s, st->codecpar->channels &&
> >> st->codecpar->bits_per_coded_sample > INT_MAX / st->codecpar->channels)
> >>      st->codecpar->block_align           = st->codecpar->channels *
> >>                                            st->codecpar->bits_per_coded_
> >> sample;
> >>
> >> --
> >> 2.11.0
> > 
> > 
> > To an innocent reader (who doesn't know/care about SIGFPE), this might look
> > like channels = 0 is an actual valid decoder condition that is explicitly
> > handled here.
> 
> Actually this function errors out earlier if channels is zero, so I've removed
> this pointless additional check. Updated patch is attached.
> 
> Best regards,
> Andreas
> 
> 

>  4xm.c |    1 +
>  1 file changed, 1 insertion(+)
> 4b27cb10f25865014fac1666956f7040d65113f9  0002-4xm-prevent-overflow-during-block-alignment-calculat.patch
> From 861b62eec30feaa56b10eec7ba4029daf48a3c28 Mon Sep 17 00:00:00 2001
> From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
> Date: Thu, 15 Dec 2016 02:14:31 +0100
> Subject: [PATCH 2/9] 4xm: prevent overflow during block alignment calculation
> 
> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
> ---
>  libavformat/4xm.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/libavformat/4xm.c b/libavformat/4xm.c
> index 2758b69d29..58729fed0d 100644
> --- a/libavformat/4xm.c
> +++ b/libavformat/4xm.c
> @@ -187,6 +187,7 @@ static int parse_strk(AVFormatContext *s,
>      st->codecpar->bit_rate              = (int64_t)st->codecpar->channels *
>                                            st->codecpar->sample_rate *
>                                            st->codecpar->bits_per_coded_sample;
> +    FF_RETURN_ON_OVERFLOW(s, st->codecpar->bits_per_coded_sample > INT_MAX / st->codecpar->channels)
>      st->codecpar->block_align           = st->codecpar->channels *
>                                            st->codecpar->bits_per_coded_sample;

i think we should check channels for > 8 or something and ask for a
sample and check bits_per_coded_sample against what maximal sensible
value of bits a sample and ask for a sample if above

the patch should be ok

thx

[...]
Andreas Cadhalpun Jan. 26, 2017, 1:09 a.m. UTC | #2 
On 07.01.2017 02:31, Michael Niedermayer wrote:
> On Fri, Jan 06, 2017 at 09:27:29PM +0100, Andreas Cadhalpun wrote:
>>  4xm.c |    1 +
>>  1 file changed, 1 insertion(+)
>> 4b27cb10f25865014fac1666956f7040d65113f9  0002-4xm-prevent-overflow-during-block-alignment-calculat.patch
>> From 861b62eec30feaa56b10eec7ba4029daf48a3c28 Mon Sep 17 00:00:00 2001
>> From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
>> Date: Thu, 15 Dec 2016 02:14:31 +0100
>> Subject: [PATCH 2/9] 4xm: prevent overflow during block alignment calculation
>>
>> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
>> ---
>>  libavformat/4xm.c | 1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff --git a/libavformat/4xm.c b/libavformat/4xm.c
>> index 2758b69d29..58729fed0d 100644
>> --- a/libavformat/4xm.c
>> +++ b/libavformat/4xm.c
>> @@ -187,6 +187,7 @@ static int parse_strk(AVFormatContext *s,
>>      st->codecpar->bit_rate              = (int64_t)st->codecpar->channels *
>>                                            st->codecpar->sample_rate *
>>                                            st->codecpar->bits_per_coded_sample;
>> +    FF_RETURN_ON_OVERFLOW(s, st->codecpar->bits_per_coded_sample > INT_MAX / st->codecpar->channels)
>>      st->codecpar->block_align           = st->codecpar->channels *
>>                                            st->codecpar->bits_per_coded_sample;
> 
> i think we should check channels for > 8 or something and ask for a
> sample and check bits_per_coded_sample against what maximal sensible
> value of bits a sample and ask for a sample if above

Actually avcodec_open2 already errors out if channels is larger than
FF_SANE_NB_CHANNELS = 64. That check can already be done in the demuxer.
Then defining INT_MAX / 64 as maximal sensible value of bits_per_coded_sample
eliminates the need for FF_RETURN_ON_OVERFLOW checks.

I'll send an updated patch series.

Best regards,
Andreas
diff mbox

Patch

From 861b62eec30feaa56b10eec7ba4029daf48a3c28 Mon Sep 17 00:00:00 2001
From: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
Date: Thu, 15 Dec 2016 02:14:31 +0100
Subject: [PATCH 2/9] 4xm: prevent overflow during block alignment calculation

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com>
---
 libavformat/4xm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libavformat/4xm.c b/libavformat/4xm.c
index 2758b69d29..58729fed0d 100644
--- a/libavformat/4xm.c
+++ b/libavformat/4xm.c
@@ -187,6 +187,7 @@  static int parse_strk(AVFormatContext *s,
     st->codecpar->bit_rate              = (int64_t)st->codecpar->channels *
                                           st->codecpar->sample_rate *
                                           st->codecpar->bits_per_coded_sample;
+    FF_RETURN_ON_OVERFLOW(s, st->codecpar->bits_per_coded_sample > INT_MAX / st->codecpar->channels)
     st->codecpar->block_align           = st->codecpar->channels *
                                           st->codecpar->bits_per_coded_sample;
 
-- 
2.11.0