Message ID | 20221105201629.1980-3-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/4] avcodec/dts2pts_bsf: Check ctx for NULL before ff_cbs_flush() | expand |
Context | Check | Description |
---|---|---|
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
On 11/5/22, Michael Niedermayer <michael@niedermayer.cc> wrote: > Fixes: signed integer overflow: -2889074 * 2048 cannot be represented in > type 'int' > Fixes: > 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/bonk.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c > index 471e09fe14..1695229dbd 100644 > --- a/libavcodec/bonk.c > +++ b/libavcodec/bonk.c > @@ -363,12 +363,17 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame > *frame, > return ret; > > for (int i = 0; i < samples_per_packet; i++) { > + int64_t t64; > for (int j = 0; j < s->down_sampling - 1; j++) { > sample[0] = predictor_calc_error(s->k, state, s->n_taps, > 0); > sample++; > } > > - sample[0] = predictor_calc_error(s->k, state, s->n_taps, > s->input_samples[i] * quant); > + t64 = s->input_samples[i] * (int64_t)quant; > + if ((int32_t)t64 != t64) > + return AVERROR_INVALIDDATA; > + > + sample[0] = predictor_calc_error(s->k, state, s->n_taps, t64); > sample++; > } > NAK, using int64_t and thus slowing things down. > -- > 2.17.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". >
On Sun, Nov 06, 2022 at 09:51:57AM +0100, Paul B Mahol wrote: > On 11/5/22, Michael Niedermayer <michael@niedermayer.cc> wrote: > > Fixes: signed integer overflow: -2889074 * 2048 cannot be represented in > > type 'int' > > Fixes: > > 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/bonk.c | 7 ++++++- > > 1 file changed, 6 insertions(+), 1 deletion(-) > > > > diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c > > index 471e09fe14..1695229dbd 100644 > > --- a/libavcodec/bonk.c > > +++ b/libavcodec/bonk.c > > @@ -363,12 +363,17 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame > > *frame, > > return ret; > > > > for (int i = 0; i < samples_per_packet; i++) { > > + int64_t t64; > > for (int j = 0; j < s->down_sampling - 1; j++) { > > sample[0] = predictor_calc_error(s->k, state, s->n_taps, > > 0); > > sample++; > > } > > > > - sample[0] = predictor_calc_error(s->k, state, s->n_taps, > > s->input_samples[i] * quant); > > + t64 = s->input_samples[i] * (int64_t)quant; > > + if ((int32_t)t64 != t64) > > + return AVERROR_INVALIDDATA; > > + > > + sample[0] = predictor_calc_error(s->k, state, s->n_taps, t64); > > sample++; > > } > > > > NAK, using int64_t and thus slowing things down. this code has little speed relevance, a single interation of this loop takes over 1300 cpu cycles already and it is faster, why, no clue, i guess it maybe reshuffles some speed relevant bits int 13145422 decicycles in QUA, 8192 runs, 0 skips 13175400 decicycles in QUA, 8192 runs, 0 skips 13260076 decicycles in QUA, 8192 runs, 0 skips int64 13049729 decicycles in QUA, 8192 runs, 0 skips 13049418 decicycles in QUA, 8192 runs, 0 skips 13038855 decicycles in QUA, 8192 runs, 0 skips [...]
diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c index 471e09fe14..1695229dbd 100644 --- a/libavcodec/bonk.c +++ b/libavcodec/bonk.c @@ -363,12 +363,17 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame *frame, return ret; for (int i = 0; i < samples_per_packet; i++) { + int64_t t64; for (int j = 0; j < s->down_sampling - 1; j++) { sample[0] = predictor_calc_error(s->k, state, s->n_taps, 0); sample++; } - sample[0] = predictor_calc_error(s->k, state, s->n_taps, s->input_samples[i] * quant); + t64 = s->input_samples[i] * (int64_t)quant; + if ((int32_t)t64 != t64) + return AVERROR_INVALIDDATA; + + sample[0] = predictor_calc_error(s->k, state, s->n_taps, t64); sample++; }
Fixes: signed integer overflow: -2889074 * 2048 cannot be represented in type 'int' Fixes: 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/bonk.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)