Message ID | 20211014221323.21096-1-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel,1/2] avcodec/speexdec: Check frames_per_packet more completely | expand |
Context | Check | Description |
---|---|---|
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
andriy/make_ppc | success | Make finished |
andriy/make_fate_ppc | success | Make fate finished |
On 10/14/2021 7:13 PM, Michael Niedermayer wrote: > Fixes: signed integer overflow: 2105344 * 539033345 cannot be represented in type 'int' > Fixes: out of array write > Fixes: 39956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-4766419250708480 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/speexdec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c > index 4c50f54f27b..05f084de2e5 100644 > --- a/libavcodec/speexdec.c > +++ b/libavcodec/speexdec.c > @@ -1428,7 +1428,7 @@ static int parse_speex_extradata(AVCodecContext *avctx, > return AVERROR_INVALIDDATA; > s->vbr = bytestream_get_le32(&buf); > s->frames_per_packet = bytestream_get_le32(&buf); > - if (s->frames_per_packet <= 0) > + if (s->frames_per_packet <= 0 || s->frames_per_packet >= INT32_MAX / s->frame_size) s->frames_per_packet * s->frame_size is then multiplied by channel count (which can be at most 2) for the vector_fmul_scalar() call, so might as well check for that here too. Alternatively, all floatdsp functions could be adapted to take size_t buffer lengths. > return AVERROR_INVALIDDATA; > s->extra_headers = bytestream_get_le32(&buf); > >
On Fri, Oct 15, 2021 at 12:20 AM James Almer <jamrial@gmail.com> wrote: > On 10/14/2021 7:13 PM, Michael Niedermayer wrote: > > Fixes: signed integer overflow: 2105344 * 539033345 cannot be > represented in type 'int' > > Fixes: out of array write > > Fixes: > 39956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-4766419250708480 > > > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/speexdec.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c > > index 4c50f54f27b..05f084de2e5 100644 > > --- a/libavcodec/speexdec.c > > +++ b/libavcodec/speexdec.c > > @@ -1428,7 +1428,7 @@ static int parse_speex_extradata(AVCodecContext > *avctx, > > return AVERROR_INVALIDDATA; > > s->vbr = bytestream_get_le32(&buf); > > s->frames_per_packet = bytestream_get_le32(&buf); > > - if (s->frames_per_packet <= 0) > > + if (s->frames_per_packet <= 0 || s->frames_per_packet >= INT32_MAX > / s->frame_size) > > s->frames_per_packet * s->frame_size is then multiplied by channel count > (which can be at most 2) for the vector_fmul_scalar() call, so might as > well check for that here too. > > Alternatively, all floatdsp functions could be adapted to take size_t > buffer lengths. > Limit it to 32/64. > > > return AVERROR_INVALIDDATA; > > s->extra_headers = bytestream_get_le32(&buf); > > > > > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". >
On Fri, Oct 15, 2021 at 08:52:39AM +0200, Paul B Mahol wrote: > On Fri, Oct 15, 2021 at 12:20 AM James Almer <jamrial@gmail.com> wrote: > > > On 10/14/2021 7:13 PM, Michael Niedermayer wrote: > > > Fixes: signed integer overflow: 2105344 * 539033345 cannot be > > represented in type 'int' > > > Fixes: out of array write > > > Fixes: > > 39956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-4766419250708480 > > > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > > --- > > > libavcodec/speexdec.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c > > > index 4c50f54f27b..05f084de2e5 100644 > > > --- a/libavcodec/speexdec.c > > > +++ b/libavcodec/speexdec.c > > > @@ -1428,7 +1428,7 @@ static int parse_speex_extradata(AVCodecContext > > *avctx, > > > return AVERROR_INVALIDDATA; > > > s->vbr = bytestream_get_le32(&buf); > > > s->frames_per_packet = bytestream_get_le32(&buf); > > > - if (s->frames_per_packet <= 0) > > > + if (s->frames_per_packet <= 0 || s->frames_per_packet >= INT32_MAX > > / s->frame_size) > > > > s->frames_per_packet * s->frame_size is then multiplied by channel count > > (which can be at most 2) for the vector_fmul_scalar() call, so might as > > well check for that here too. > > > > Alternatively, all floatdsp functions could be adapted to take size_t > > buffer lengths. > > > > Limit it to 32/64. you mean like this: (64 channels) ? diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c index 4c50f54f27b..1fc1eea1a1b 100644 --- a/libavcodec/speexdec.c +++ b/libavcodec/speexdec.c @@ -1428,7 +1428,7 @@ static int parse_speex_extradata(AVCodecContext *avctx, return AVERROR_INVALIDDATA; s->vbr = bytestream_get_le32(&buf); s->frames_per_packet = bytestream_get_le32(&buf); - if (s->frames_per_packet <= 0) + if (s->frames_per_packet <= 0 || s->frames_per_packet >= INT32_MAX / 64 / s->frame_size) return AVERROR_INVALIDDATA; s->extra_headers = bytestream_get_le32(&buf); [...]
On Fri, Oct 15, 2021 at 7:26 PM Michael Niedermayer <michael@niedermayer.cc> wrote: > On Fri, Oct 15, 2021 at 08:52:39AM +0200, Paul B Mahol wrote: > > On Fri, Oct 15, 2021 at 12:20 AM James Almer <jamrial@gmail.com> wrote: > > > > > On 10/14/2021 7:13 PM, Michael Niedermayer wrote: > > > > Fixes: signed integer overflow: 2105344 * 539033345 cannot be > > > represented in type 'int' > > > > Fixes: out of array write > > > > Fixes: > > > > 39956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-4766419250708480 > > > > > > > > Found-by: continuous fuzzing process > > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > > > --- > > > > libavcodec/speexdec.c | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c > > > > index 4c50f54f27b..05f084de2e5 100644 > > > > --- a/libavcodec/speexdec.c > > > > +++ b/libavcodec/speexdec.c > > > > @@ -1428,7 +1428,7 @@ static int parse_speex_extradata(AVCodecContext > > > *avctx, > > > > return AVERROR_INVALIDDATA; > > > > s->vbr = bytestream_get_le32(&buf); > > > > s->frames_per_packet = bytestream_get_le32(&buf); > > > > - if (s->frames_per_packet <= 0) > > > > + if (s->frames_per_packet <= 0 || s->frames_per_packet >= > INT32_MAX > > > / s->frame_size) > > > > > > s->frames_per_packet * s->frame_size is then multiplied by channel > count > > > (which can be at most 2) for the vector_fmul_scalar() call, so might as > > > well check for that here too. > > > > > > Alternatively, all floatdsp functions could be adapted to take size_t > > > buffer lengths. > > > > > > > Limit it to 32/64. > > you mean like this: (64 channels) ? > I mean limit max frames per packet to 64. > > diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c > index 4c50f54f27b..1fc1eea1a1b 100644 > --- a/libavcodec/speexdec.c > +++ b/libavcodec/speexdec.c > @@ -1428,7 +1428,7 @@ static int parse_speex_extradata(AVCodecContext > *avctx, > return AVERROR_INVALIDDATA; > s->vbr = bytestream_get_le32(&buf); > s->frames_per_packet = bytestream_get_le32(&buf); > - if (s->frames_per_packet <= 0) > + if (s->frames_per_packet <= 0 || s->frames_per_packet >= INT32_MAX / > 64 / s->frame_size) > return AVERROR_INVALIDDATA; > s->extra_headers = bytestream_get_le32(&buf); > > > > [...] > > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > In a rich man's house there is no place to spit but his face. > -- Diogenes of Sinope > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". >
On Fri, Oct 15, 2021 at 07:30:20PM +0200, Paul B Mahol wrote: > On Fri, Oct 15, 2021 at 7:26 PM Michael Niedermayer <michael@niedermayer.cc> > wrote: > > > On Fri, Oct 15, 2021 at 08:52:39AM +0200, Paul B Mahol wrote: > > > On Fri, Oct 15, 2021 at 12:20 AM James Almer <jamrial@gmail.com> wrote: > > > > > > > On 10/14/2021 7:13 PM, Michael Niedermayer wrote: > > > > > Fixes: signed integer overflow: 2105344 * 539033345 cannot be > > > > represented in type 'int' > > > > > Fixes: out of array write > > > > > Fixes: > > > > > > 39956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-4766419250708480 > > > > > > > > > > Found-by: continuous fuzzing process > > > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > > > > --- > > > > > libavcodec/speexdec.c | 2 +- > > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > > > diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c > > > > > index 4c50f54f27b..05f084de2e5 100644 > > > > > --- a/libavcodec/speexdec.c > > > > > +++ b/libavcodec/speexdec.c > > > > > @@ -1428,7 +1428,7 @@ static int parse_speex_extradata(AVCodecContext > > > > *avctx, > > > > > return AVERROR_INVALIDDATA; > > > > > s->vbr = bytestream_get_le32(&buf); > > > > > s->frames_per_packet = bytestream_get_le32(&buf); > > > > > - if (s->frames_per_packet <= 0) > > > > > + if (s->frames_per_packet <= 0 || s->frames_per_packet >= > > INT32_MAX > > > > / s->frame_size) > > > > > > > > s->frames_per_packet * s->frame_size is then multiplied by channel > > count > > > > (which can be at most 2) for the vector_fmul_scalar() call, so might as > > > > well check for that here too. > > > > > > > > Alternatively, all floatdsp functions could be adapted to take size_t > > > > buffer lengths. > > > > > > > > > > Limit it to 32/64. > > > > you mean like this: (64 channels) ? > > > > I mean limit max frames per packet to 64. that would give something like this: unless we can bound frame_size tighter diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c index 4c50f54f27b..d240e8a20bf 100644 --- a/libavcodec/speexdec.c +++ b/libavcodec/speexdec.c @@ -1428,7 +1428,9 @@ static int parse_speex_extradata(AVCodecContext *avctx, return AVERROR_INVALIDDATA; s->vbr = bytestream_get_le32(&buf); s->frames_per_packet = bytestream_get_le32(&buf); - if (s->frames_per_packet <= 0) + if (s->frames_per_packet <= 0 || + s->frames_per_packet > 64 || + s->frames_per_packet >= INT32_MAX / s->nb_channels / s->frame_size) return AVERROR_INVALIDDATA; s->extra_headers = bytestream_get_le32(&buf); [...]
On Fri, Oct 15, 2021 at 11:17:04PM +0200, Michael Niedermayer wrote: > On Fri, Oct 15, 2021 at 07:30:20PM +0200, Paul B Mahol wrote: > > On Fri, Oct 15, 2021 at 7:26 PM Michael Niedermayer <michael@niedermayer.cc> > > wrote: > > > > > On Fri, Oct 15, 2021 at 08:52:39AM +0200, Paul B Mahol wrote: > > > > On Fri, Oct 15, 2021 at 12:20 AM James Almer <jamrial@gmail.com> wrote: > > > > > > > > > On 10/14/2021 7:13 PM, Michael Niedermayer wrote: > > > > > > Fixes: signed integer overflow: 2105344 * 539033345 cannot be > > > > > represented in type 'int' > > > > > > Fixes: out of array write > > > > > > Fixes: > > > > > > > > 39956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-4766419250708480 > > > > > > > > > > > > Found-by: continuous fuzzing process > > > > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > > > > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > > > > > --- > > > > > > libavcodec/speexdec.c | 2 +- > > > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > > > > > diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c > > > > > > index 4c50f54f27b..05f084de2e5 100644 > > > > > > --- a/libavcodec/speexdec.c > > > > > > +++ b/libavcodec/speexdec.c > > > > > > @@ -1428,7 +1428,7 @@ static int parse_speex_extradata(AVCodecContext > > > > > *avctx, > > > > > > return AVERROR_INVALIDDATA; > > > > > > s->vbr = bytestream_get_le32(&buf); > > > > > > s->frames_per_packet = bytestream_get_le32(&buf); > > > > > > - if (s->frames_per_packet <= 0) > > > > > > + if (s->frames_per_packet <= 0 || s->frames_per_packet >= > > > INT32_MAX > > > > > / s->frame_size) > > > > > > > > > > s->frames_per_packet * s->frame_size is then multiplied by channel > > > count > > > > > (which can be at most 2) for the vector_fmul_scalar() call, so might as > > > > > well check for that here too. > > > > > > > > > > Alternatively, all floatdsp functions could be adapted to take size_t > > > > > buffer lengths. > > > > > > > > > > > > > Limit it to 32/64. > > > > > > you mean like this: (64 channels) ? > > > > > > > I mean limit max frames per packet to 64. > > that would give something like this: unless we can bound frame_size tighter > > diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c > index 4c50f54f27b..d240e8a20bf 100644 > --- a/libavcodec/speexdec.c > +++ b/libavcodec/speexdec.c will apply [...]
diff --git a/libavcodec/speexdec.c b/libavcodec/speexdec.c index 4c50f54f27b..05f084de2e5 100644 --- a/libavcodec/speexdec.c +++ b/libavcodec/speexdec.c @@ -1428,7 +1428,7 @@ static int parse_speex_extradata(AVCodecContext *avctx, return AVERROR_INVALIDDATA; s->vbr = bytestream_get_le32(&buf); s->frames_per_packet = bytestream_get_le32(&buf); - if (s->frames_per_packet <= 0) + if (s->frames_per_packet <= 0 || s->frames_per_packet >= INT32_MAX / s->frame_size) return AVERROR_INVALIDDATA; s->extra_headers = bytestream_get_le32(&buf);
Fixes: signed integer overflow: 2105344 * 539033345 cannot be represented in type 'int' Fixes: out of array write Fixes: 39956/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-4766419250708480 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/speexdec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)