From patchwork Wed Dec  8 03:17:13 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yy <young_chelsea@163.com>
X-Patchwork-Id: 32171
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a6b:cd86:0:0:0:0:0 with SMTP id d128csp7167309iog;
        Tue, 7 Dec 2021 19:17:32 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJyPouN4RZu3CH9kC7VE5Iq8YTGRzA6CTFePron6DWkc6t8gVi3ZXIci4EnUFPRD1jyQWay8
X-Received: by 2002:a17:906:6a90:: with SMTP id
 p16mr4059568ejr.342.1638933452263;
        Tue, 07 Dec 2021 19:17:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1638933452; cv=none;
        d=google.com; s=arc-20160816;
        b=zaGEjiEh+BsCldK8/rUR4Qe0f1+WBOCUFwxbupMsgCqJFqo2saJttDTXx8noDFNSEU
         LcyxWKvmckVJwBZ8bGuRCUT2yqDYKvOIWkFtvCLoSFI2sR98ebwrN1Q0WjafzY0uMt8C
         KxRZ6/q+QAmHGIlArMgm5vdM2WzRIm/LPKdjufAZR/Nh17giPowyqcBnvxBcnPO3nasC
         z7/YDmOUp1SXY1ls3gc0mmrWVdmXUTgIOHISX9ps7oU4UDsDB1UbogrvltqgPxSQ6gTt
         D0Q/smApfyP6Zd3/wbqn3xj3zVAC5fJ8R4pIa2ohd6WgQAq2REM5b4p3sQho7zQA0NRF
         q4Kw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:cc:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:mime-version:references:in-reply-to
         :message-id:date:to:from:dkim-signature:delivered-to;
        bh=jayr4zYFNgntOP5Y2BtsAhLj1CkAAtuCtKynMdR3yvY=;
        b=nIMjsGK0ew0rdJaeB1AFenMZB0BOLzuzemIUN2vbwhl8QGJomoZarV+zJqOub9aif6
         oMQLd6hBHkVXP8GkT8mZ7YlWNJgaj7BZSmDNUA39YlWy2Y/fpvl7duZRVTKy1OEOKJ3+
         YqCGC3mM9UE87ASyJAE95eabUsaOmYiuok54P4LImM9g8zS7lDnNW+qmkpczjf1SP85B
         PoL4walr2Y2Zs8Im/E4g0j3rCal7FFNjhaSULJfkVcosT5h/SM1J8IKwDg1hkVQlpbzv
         rmqX0xiJCVLZG+I0EbbbH+hMk8rq6Ptn3EBsH445irBvfb++2XQqXBgX94vRrVW7ZwV4
         iUBw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@163.com
 header.s=s110527 header.b=ebMPfHN1;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=163.com
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 dz9si3371491edb.587.2021.12.07.19.17.31;
        Tue, 07 Dec 2021 19:17:32 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@163.com
 header.s=s110527 header.b=ebMPfHN1;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=163.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 3943C68AD28;
	Wed,  8 Dec 2021 05:17:27 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from m12-14.163.com (m12-14.163.com [220.181.12.14])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id B9D2B68A538
 for <ffmpeg-devel@ffmpeg.org>; Wed,  8 Dec 2021 05:17:19 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
 s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=Wv44i
 caVLf+MBkDw2OHL4HBdjFuL30lYf0m1VFOpVvU=; b=ebMPfHN1pm1JMxiqmkK42
 bSFOIsbO9HLPz8cUulp4tYHjlGo4GURkVtKqsIuJDr8jD/uWt9PXSo3wNl2eOxWt
 3ShwIdNB4c5JqaOzS2gmGl6VbMT4a0hVTKniEjSf9mAFUeX3CgSXycNC/q8OcvZG
 OCie0HhJQyFXUMmwt3R+rg=
Received: from localhost.localdomain (unknown [103.107.216.232])
 by smtp10 (Coremail) with SMTP id DsCowACHavq7I7BhYqEnBA--.36855S2;
 Wed, 08 Dec 2021 11:17:16 +0800 (CST)
From: Yu Yang <young_chelsea@163.com>
To: ffmpeg-devel@ffmpeg.org
Date: Wed,  8 Dec 2021 11:17:13 +0800
Message-Id: <20211208031713.1002-1-young_chelsea@163.com>
X-Mailer: git-send-email 2.33.1
In-Reply-To: <20211206122142.84235-1-young_chelsea@163.com>
References: <20211206122142.84235-1-young_chelsea@163.com>
MIME-Version: 1.0
X-CM-TRANSID: DsCowACHavq7I7BhYqEnBA--.36855S2
X-Coremail-Antispam: 1Uf129KBjvJXoWxJF1fKrWrCrWxKr4UKr17Wrg_yoWruF4Dpr
 1rKrsxJFnrXFyfZrWDCa1kGF45J395G3W5ta1Sy3yUJa4vgrZ3Gr42k34Y9rWjqr9xKw12
 kr1UGw4UG3WxGw7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zKiigNUUUUU=
X-Originating-IP: [103.107.216.232]
X-CM-SenderInfo: x1rx0wpbfkvzxvhdqiywtou0bp/xtbBExFjSl3l+r-HKgABs6
Subject: [FFmpeg-devel] [PATCH v2] libswresample/swresamplec: Err
 num(negative-size) was used as a function parameter
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: TOTE Robot <oslab@tsinghua.edu.cn>, Yu Yang <young_chelsea@163.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: 8yvNdzHszhIw

If cannot allocate memory, ERROR(ENOMEM) '-12' as a parameter will be constantly being returned.
When run resample() firstly, negative size param would cause buffer-overflow and SEGV in swri_rematrix(). 
When run swri_rematrix() firstly, resample() would not cause error but Err num as a wrong parameter passing.
Err num should be returned immediately. And remove assert to ensure the return of the error code.

coredump info:
    #0 0x499517 in posix_memalign (/home/r1/ffmpeg/ffmpeg_4.4.1+0x499517)
    #1 0x6c1f0b4 in av_malloc /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:86:9
    #2 0x6c208fe in av_mallocz /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:239:17
    #3 0x6c207ad in av_mallocz_array /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavutil/mem.c:195:12
    #4 0x654b2e5 in swri_realloc_audio /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:418:14
    #5 0x654f9a1 in swr_convert_internal /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:601:17
    #6 0x654d2c0 in swr_convert /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libswresample/swresample.c:766:19
    #7 0x186cf56 in flush_frame /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/af_aresample.c:251:13
    #8 0x186a454 in request_frame /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/af_aresample.c:288:20
    #9 0x787d9c in ff_request_frame_to_filter /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:459:15
    #10 0x7877f1 in forward_status_change /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1257:19
    #11 0x77ed7e in ff_filter_activate_default /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1288:20
    #12 0x77e4e1 in ff_filter_activate /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfilter.c:1441:11
    #13 0x793b3f in ff_filter_graph_run_once /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfiltergraph.c:1403:12
    #14 0x7a7bee in get_frame_internal /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/buffersink.c:131:19
    #15 0x7a7287 in av_buffersink_get_frame_flags /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/buffersink.c:142:12
    #16 0x792888 in avfilter_graph_request_oldest /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/libavfilter/avfiltergraph.c:1356:17
    #17 0x5d07df in transcode_from_filter /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4639:11
    #18 0x59e557 in transcode_step /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4729:20
    #19 0x593970 in transcode /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:4805:15
    #20 0x58f7a4 in main /home/r1/ffmpeg/ffmpeg-4.4.1/build/src/fftools/ffmpeg.c:5010:9
    #21 0x7f6fd2dee0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: negative-size-param (/home/r1/ffmpeg/ffmpeg_4.4.1+0x497e67) in __asan_memcpy

Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Yu Yang <young_chelsea@163.com>
---
 libswresample/swresample.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/libswresample/swresample.c b/libswresample/swresample.c
index c03fe5528f..16734c9df9 100644
--- a/libswresample/swresample.c
+++ b/libswresample/swresample.c
@@ -643,14 +643,16 @@ static int swr_convert_internal(struct SwrContext *s, AudioData *out, int out_co
 
     if(s->resample_first){
         if(postin != midbuf)
-            out_count= resample(s, midbuf, out_count, postin, in_count);
+            if ((out_count = resample(s, midbuf, out_count, postin, in_count)) < 0)
+                return out_count;
         if(midbuf != preout)
             swri_rematrix(s, preout, midbuf, out_count, preout==out);
     }else{
         if(postin != midbuf)
             swri_rematrix(s, midbuf, postin, in_count, midbuf==out);
         if(midbuf != preout)
-            out_count= resample(s, preout, out_count, midbuf, in_count);
+            if ((out_count = resample(s, preout, out_count, midbuf, in_count)) < 0)
+                return out_count;
     }
 
     if(preout != out && out_count){
@@ -769,7 +771,7 @@ int attribute_align_arg swr_convert(struct SwrContext *s,
         if(ret>0 && !s->drop_output)
             s->outpts += ret * (int64_t)s->in_sample_rate;
 
-        av_assert2(max_output < 0 || ret < 0 || ret <= max_output);
+        av_assert2(max_output < 0 || ret <= max_output);
 
         return ret;
     }else{