diff mbox series

[FFmpeg-devel,6/6] avfilter/af_surround: Check av_channel_layout_channel_from_index() stays within the fixed array used

Message ID 20240707184729.3525852-6-michael@niedermayer.cc
State New
Headers show
Series [FFmpeg-devel,1/6] avcodec/tiff: Check value on positive signed targets | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 fail Make fate failed
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer July 7, 2024, 6:47 p.m. UTC 
Fixes: CID1516994 Out-of-bounds access
Fixes: CID1516996 Out-of-bounds access
Fixes: CID1516999 Out-of-bounds access

Sponsored-by: Sovereign Tech Fund
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavfilter/af_surround.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Andreas Rheinhardt July 7, 2024, 7:05 p.m. UTC | #1 
Michael Niedermayer:
> Fixes: CID1516994 Out-of-bounds access
> Fixes: CID1516996 Out-of-bounds access
> Fixes: CID1516999 Out-of-bounds access
> 
> Sponsored-by: Sovereign Tech Fund
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavfilter/af_surround.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/libavfilter/af_surround.c b/libavfilter/af_surround.c
> index e37dddc3614..fab39a37ea9 100644
> --- a/libavfilter/af_surround.c
> +++ b/libavfilter/af_surround.c
> @@ -269,6 +269,9 @@ static int config_output(AVFilterLink *outlink)
>  
>      for (int ch = 0; ch < outlink->ch_layout.nb_channels; ch++) {
>          float iscale = 1.f;
> +        const int chan = av_channel_layout_channel_from_index(&s->out_ch_layout, ch);
> +        if (chan >= FF_ARRAY_ELEMS(sc_map))
> +            return AVERROR_PATCHWELCOME;
>  
>          ret = av_tx_init(&s->irdft[ch], &s->itx_fn, AV_TX_FLOAT_RDFT,
>                           1, s->win_size, &iscale, 0);

Can this happen?

- Andreas
Andreas Rheinhardt July 7, 2024, 7:12 p.m. UTC | #2 
Andreas Rheinhardt:
> Michael Niedermayer:
>> Fixes: CID1516994 Out-of-bounds access
>> Fixes: CID1516996 Out-of-bounds access
>> Fixes: CID1516999 Out-of-bounds access
>>
>> Sponsored-by: Sovereign Tech Fund
>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>> ---
>>  libavfilter/af_surround.c | 3 +++
>>  1 file changed, 3 insertions(+)
>>
>> diff --git a/libavfilter/af_surround.c b/libavfilter/af_surround.c
>> index e37dddc3614..fab39a37ea9 100644
>> --- a/libavfilter/af_surround.c
>> +++ b/libavfilter/af_surround.c
>> @@ -269,6 +269,9 @@ static int config_output(AVFilterLink *outlink)
>>  
>>      for (int ch = 0; ch < outlink->ch_layout.nb_channels; ch++) {
>>          float iscale = 1.f;
>> +        const int chan = av_channel_layout_channel_from_index(&s->out_ch_layout, ch);
>> +        if (chan >= FF_ARRAY_ELEMS(sc_map))
>> +            return AVERROR_PATCHWELCOME;
>>  
>>          ret = av_tx_init(&s->irdft[ch], &s->itx_fn, AV_TX_FLOAT_RDFT,
>>                           1, s->win_size, &iscale, 0);
> 
> Can this happen?
> 

Apart from that: I think you are mistaken when you believe that this
will "fix" the issue. Coverity will not think that these issues are
fixed even with this check.

- Andreas
Michael Niedermayer July 7, 2024, 9:59 p.m. UTC | #3 
On Sun, Jul 07, 2024 at 09:12:06PM +0200, Andreas Rheinhardt wrote:
> Andreas Rheinhardt:
> > Michael Niedermayer:
> >> Fixes: CID1516994 Out-of-bounds access
> >> Fixes: CID1516996 Out-of-bounds access
> >> Fixes: CID1516999 Out-of-bounds access
> >>
> >> Sponsored-by: Sovereign Tech Fund
> >> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> >> ---
> >>  libavfilter/af_surround.c | 3 +++
> >>  1 file changed, 3 insertions(+)
> >>
> >> diff --git a/libavfilter/af_surround.c b/libavfilter/af_surround.c
> >> index e37dddc3614..fab39a37ea9 100644
> >> --- a/libavfilter/af_surround.c
> >> +++ b/libavfilter/af_surround.c
> >> @@ -269,6 +269,9 @@ static int config_output(AVFilterLink *outlink)
> >>  
> >>      for (int ch = 0; ch < outlink->ch_layout.nb_channels; ch++) {
> >>          float iscale = 1.f;
> >> +        const int chan = av_channel_layout_channel_from_index(&s->out_ch_layout, ch);
> >> +        if (chan >= FF_ARRAY_ELEMS(sc_map))
> >> +            return AVERROR_PATCHWELCOME;
> >>  
> >>          ret = av_tx_init(&s->irdft[ch], &s->itx_fn, AV_TX_FLOAT_RDFT,
> >>                           1, s->win_size, &iscale, 0);
> > 
> > Can this happen?

IMHO, this doesnt matter. A filter that depends on a audio channel layout
API from another lib cannot depend on its implementation but just the
public API/ABI
So even if the av_channel_layout_* API didnt allow us to set such layout
today we would need to check for it

now can this happen?
try this:

./ffmpeg -i matrixbench_mpeg2.mpg -af surround=chl_out="123456789" -f null -

I get a
Segmentation fault (core dumped)

and it doesnt segfault after the patch


> > 
> 
> Apart from that: I think you are mistaken when you believe that this
> will "fix" the issue. Coverity will not think that these issues are
> fixed even with this check.

After this patch the issue is either detected as fixed or not,
if not then it becomes a false positive and either way is fixed

thx

[...]
James Almer July 8, 2024, 2:28 a.m. UTC | #4 
On 7/7/2024 6:59 PM, Michael Niedermayer wrote:
> On Sun, Jul 07, 2024 at 09:12:06PM +0200, Andreas Rheinhardt wrote:
>> Andreas Rheinhardt:
>>> Michael Niedermayer:
>>>> Fixes: CID1516994 Out-of-bounds access
>>>> Fixes: CID1516996 Out-of-bounds access
>>>> Fixes: CID1516999 Out-of-bounds access
>>>>
>>>> Sponsored-by: Sovereign Tech Fund
>>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>>> ---
>>>>   libavfilter/af_surround.c | 3 +++
>>>>   1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/libavfilter/af_surround.c b/libavfilter/af_surround.c
>>>> index e37dddc3614..fab39a37ea9 100644
>>>> --- a/libavfilter/af_surround.c
>>>> +++ b/libavfilter/af_surround.c
>>>> @@ -269,6 +269,9 @@ static int config_output(AVFilterLink *outlink)
>>>>   
>>>>       for (int ch = 0; ch < outlink->ch_layout.nb_channels; ch++) {
>>>>           float iscale = 1.f;
>>>> +        const int chan = av_channel_layout_channel_from_index(&s->out_ch_layout, ch);
>>>> +        if (chan >= FF_ARRAY_ELEMS(sc_map))
>>>> +            return AVERROR_PATCHWELCOME;
>>>>   
>>>>           ret = av_tx_init(&s->irdft[ch], &s->itx_fn, AV_TX_FLOAT_RDFT,
>>>>                            1, s->win_size, &iscale, 0);
>>>
>>> Can this happen?
> 
> IMHO, this doesnt matter. A filter that depends on a audio channel layout
> API from another lib cannot depend on its implementation but just the
> public API/ABI
> So even if the av_channel_layout_* API didnt allow us to set such layout
> today we would need to check for it
> 
> now can this happen?
> try this:
> 
> ./ffmpeg -i matrixbench_mpeg2.mpg -af surround=chl_out="123456789" -f null -
> 
> I get a
> Segmentation fault (core dumped)
> 
> and it doesnt segfault after the patch

This is (probably) a regression since 66afa361e816.
Maybe an output layout sanity check should be added back to init() in 
some form instead, to return EINVAL after an "Unsupported upmix" warning 
message is printed, like it used to be the case.
diff mbox series

Patch

diff --git a/libavfilter/af_surround.c b/libavfilter/af_surround.c
index e37dddc3614..fab39a37ea9 100644
--- a/libavfilter/af_surround.c
+++ b/libavfilter/af_surround.c
@@ -269,6 +269,9 @@  static int config_output(AVFilterLink *outlink)
 
     for (int ch = 0; ch < outlink->ch_layout.nb_channels; ch++) {
         float iscale = 1.f;
+        const int chan = av_channel_layout_channel_from_index(&s->out_ch_layout, ch);
+        if (chan >= FF_ARRAY_ELEMS(sc_map))
+            return AVERROR_PATCHWELCOME;
 
         ret = av_tx_init(&s->irdft[ch], &s->itx_fn, AV_TX_FLOAT_RDFT,
                          1, s->win_size, &iscale, 0);