[FFmpeg-devel,1/4] avcodec/sonic: Check e in get_symbol()

Submitted by Michael Niedermayer on Oct. 22, 2019, 2:27 p.m.

Details

Message ID 20191022142704.8818-1-michael@niedermayer.cc
State New
Headers show

Commit Message

Michael Niedermayer Oct. 22, 2019, 2:27 p.m.
Fixes: signed integer overflow: 1721520852 + 1721520852 cannot be represented in type 'int'
Fixes: 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/sonic.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Paul B Mahol Oct. 22, 2019, 2:56 p.m.
This code is dead and nonfunctional and should be removed ASAP!

On 10/22/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> Fixes: signed integer overflow: 1721520852 + 1721520852 cannot be
> represented in type 'int'
> Fixes:
> 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/sonic.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c
> index 34d2952e69..b890d79c28 100644
> --- a/libavcodec/sonic.c
> +++ b/libavcodec/sonic.c
> @@ -144,6 +144,8 @@ static inline av_flatten int get_symbol(RangeCoder *c,
> uint8_t *state, int is_si
>          e= 0;
>          while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
>              e++;
> +            if (e > 31)
> +                return AVERROR_INVALIDDATA;
>          }
>
>          a= 1;
> --
> 2.23.0
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
Michael Niedermayer Oct. 27, 2019, 8:49 a.m.
On Tue, Oct 22, 2019 at 04:56:27PM +0200, Paul B Mahol wrote:
> This code is dead and nonfunctional and should be removed ASAP!

Its in several releases, which need this fix
Even if it where removed from git master they still would need the fix


> 
> On 10/22/19, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > Fixes: signed integer overflow: 1721520852 + 1721520852 cannot be
> > represented in type 'int'
> > Fixes:
> > 18346/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SONIC_fuzzer-5709623893426176
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/sonic.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c
> > index 34d2952e69..b890d79c28 100644
> > --- a/libavcodec/sonic.c
> > +++ b/libavcodec/sonic.c
> > @@ -144,6 +144,8 @@ static inline av_flatten int get_symbol(RangeCoder *c,
> > uint8_t *state, int is_si
> >          e= 0;
> >          while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
> >              e++;
> > +            if (e > 31)
> > +                return AVERROR_INVALIDDATA;
> >          }
> >
> >          a= 1;
> > --
> > 2.23.0
> >
> > _______________________________________________
> > ffmpeg-devel mailing list
> > ffmpeg-devel@ffmpeg.org
> > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> >
> > To unsubscribe, visit link above, or email
> > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Patch hide | download patch | download mbox

diff --git a/libavcodec/sonic.c b/libavcodec/sonic.c
index 34d2952e69..b890d79c28 100644
--- a/libavcodec/sonic.c
+++ b/libavcodec/sonic.c
@@ -144,6 +144,8 @@  static inline av_flatten int get_symbol(RangeCoder *c, uint8_t *state, int is_si
         e= 0;
         while(get_rac(c, state+1 + FFMIN(e,9))){ //1..10
             e++;
+            if (e > 31)
+                return AVERROR_INVALIDDATA;
         }
 
         a= 1;