[FFmpeg-devel,2/3] avcodec/alsdec: Fix integer overflow in decode_var_block_data()

Submitted by Michael Niedermayer on Aug. 18, 2019, 11:30 p.m.

Details

Message ID 20190818233054.2069-2-michael@niedermayer.cc
State Accepted
Commit 661a9b274b0181b2e36ff21fd13840f35992bea6
Headers show

Commit Message

Michael Niedermayer Aug. 18, 2019, 11:30 p.m.
Fixes: signed integer overflow: 1927975249 - -514719744 cannot be represented in type 'int'
Fixes: 16413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5651206856245248

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/alsdec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Thilo Borgmann Aug. 19, 2019, 5:41 a.m.
Am 19.08.19 um 01:30 schrieb Michael Niedermayer:
> Fixes: signed integer overflow: 1927975249 - -514719744 cannot be represented in type 'int'
> Fixes: 16413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5651206856245248
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/alsdec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
> index 425cf73be9..4794556aad 100644
> --- a/libavcodec/alsdec.c
> +++ b/libavcodec/alsdec.c
> @@ -953,7 +953,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
>  
>          // reconstruct difference signal for prediction (joint-stereo)
>          if (bd->js_blocks && bd->raw_other) {
> -            int32_t *left, *right;
> +            uint32_t *left, *right;
>  
>              if (bd->raw_other > raw_samples) {  // D = R - L
>                  left  = raw_samples;
> 

LGTM

-Thilo
Michael Niedermayer Aug. 20, 2019, 2:59 p.m.
On Mon, Aug 19, 2019 at 07:41:56AM +0200, Thilo Borgmann wrote:
> Am 19.08.19 um 01:30 schrieb Michael Niedermayer:
> > Fixes: signed integer overflow: 1927975249 - -514719744 cannot be represented in type 'int'
> > Fixes: 16413/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ALS_fuzzer-5651206856245248
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/alsdec.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
> > index 425cf73be9..4794556aad 100644
> > --- a/libavcodec/alsdec.c
> > +++ b/libavcodec/alsdec.c
> > @@ -953,7 +953,7 @@ static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
> >  
> >          // reconstruct difference signal for prediction (joint-stereo)
> >          if (bd->js_blocks && bd->raw_other) {
> > -            int32_t *left, *right;
> > +            uint32_t *left, *right;
> >  
> >              if (bd->raw_other > raw_samples) {  // D = R - L
> >                  left  = raw_samples;
> > 
> 
> LGTM

will apply

thx

[...]

Patch hide | download patch | download mbox

diff --git a/libavcodec/alsdec.c b/libavcodec/alsdec.c
index 425cf73be9..4794556aad 100644
--- a/libavcodec/alsdec.c
+++ b/libavcodec/alsdec.c
@@ -953,7 +953,7 @@  static int decode_var_block_data(ALSDecContext *ctx, ALSBlockData *bd)
 
         // reconstruct difference signal for prediction (joint-stereo)
         if (bd->js_blocks && bd->raw_other) {
-            int32_t *left, *right;
+            uint32_t *left, *right;
 
             if (bd->raw_other > raw_samples) {  // D = R - L
                 left  = raw_samples;