[FFmpeg-devel,4/5] avutil/lfg: Correct index type to avoid undefined behavior

Submitted by Michael Niedermayer on Oct. 19, 2019, 8:39 p.m.

Details

Message ID 20191019203950.11689-4-michael@niedermayer.cc
State New
Headers show

Commit Message

Michael Niedermayer Oct. 19, 2019, 8:39 p.m.
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Fixes: 18333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COMFORTNOISE_fuzzer-5668481831272448

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavutil/lfg.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

James Almer Oct. 19, 2019, 8:45 p.m.
On 10/19/2019 5:39 PM, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
> Fixes: 18333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COMFORTNOISE_fuzzer-5668481831272448
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavutil/lfg.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/libavutil/lfg.h b/libavutil/lfg.h
> index 03f779ad8a..8b18df2cea 100644
> --- a/libavutil/lfg.h
> +++ b/libavutil/lfg.h
> @@ -26,7 +26,7 @@
>  
>  typedef struct AVLFG {
>      unsigned int state[64];
> -    int index;
> +    unsigned index;
>  } AVLFG;

Wouldn't this be considered an API change?

>  
>  void av_lfg_init(AVLFG *c, unsigned int seed);
>
Michael Niedermayer Oct. 19, 2019, 9:15 p.m.
On Sat, Oct 19, 2019 at 05:45:04PM -0300, James Almer wrote:
> On 10/19/2019 5:39 PM, Michael Niedermayer wrote:
> > Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
> > Fixes: 18333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COMFORTNOISE_fuzzer-5668481831272448
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavutil/lfg.h | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/libavutil/lfg.h b/libavutil/lfg.h
> > index 03f779ad8a..8b18df2cea 100644
> > --- a/libavutil/lfg.h
> > +++ b/libavutil/lfg.h
> > @@ -26,7 +26,7 @@
> >  
> >  typedef struct AVLFG {
> >      unsigned int state[64];
> > -    int index;
> > +    unsigned index;
> >  } AVLFG;
> 
> Wouldn't this be considered an API change?

is index public API ?
anyway i can fix this without changing the struct
maybe thats safer

will do that

thanks

[...]
James Almer Oct. 19, 2019, 9:35 p.m.
On 10/19/2019 6:15 PM, Michael Niedermayer wrote:
> On Sat, Oct 19, 2019 at 05:45:04PM -0300, James Almer wrote:
>> On 10/19/2019 5:39 PM, Michael Niedermayer wrote:
>>> Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
>>> Fixes: 18333/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_COMFORTNOISE_fuzzer-5668481831272448
>>>
>>> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>> ---
>>>  libavutil/lfg.h | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/libavutil/lfg.h b/libavutil/lfg.h
>>> index 03f779ad8a..8b18df2cea 100644
>>> --- a/libavutil/lfg.h
>>> +++ b/libavutil/lfg.h
>>> @@ -26,7 +26,7 @@
>>>  
>>>  typedef struct AVLFG {
>>>      unsigned int state[64];
>>> -    int index;
>>> +    unsigned index;
>>>  } AVLFG;
>>
>> Wouldn't this be considered an API change?
> 
> is index public API ?

lfg.h is an installed header, and nothing in the doxy for the struct or
field says anything about it not being considered public.
I know you're not really supposed to access it manually to being with,
but i don't know if it's safe to change it just like that.

> anyway i can fix this without changing the struct
> maybe thats safer
> 
> will do that
> 
> thanks
> 
> [...]
> 
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>

Patch hide | download patch | download mbox

diff --git a/libavutil/lfg.h b/libavutil/lfg.h
index 03f779ad8a..8b18df2cea 100644
--- a/libavutil/lfg.h
+++ b/libavutil/lfg.h
@@ -26,7 +26,7 @@ 
 
 typedef struct AVLFG {
     unsigned int state[64];
-    int index;
+    unsigned index;
 } AVLFG;
 
 void av_lfg_init(AVLFG *c, unsigned int seed);