From patchwork Sun Apr 16 16:48:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 41204 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:4645:b0:e3:3194:9d20 with SMTP id eb5csp1838688pzb; Sun, 16 Apr 2023 09:48:47 -0700 (PDT) X-Google-Smtp-Source: AKy350bpkE1G/qGPuW1JEYLKHdMt8ngcC34Fay0JJJ+k0iloX65AcbNw6GSCMAQau0YazpAOpXLz X-Received: by 2002:a17:906:fcd8:b0:94a:62e7:70e1 with SMTP id qx24-20020a170906fcd800b0094a62e770e1mr5382148ejb.68.1681663726749; Sun, 16 Apr 2023 09:48:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1681663726; cv=none; d=google.com; s=arc-20160816; b=so5Dvl84EBh1R3Xv2FPk9XSytnlnhEaLMRezzM1eTIng0QUNBxjc6sh9JUnLpNDN4P oS0aAQzDpB0dQbIDogod0kyXd10twkH4wG3mIH9G6xInkp4I3mswsjlmnrKLEox8I6kh D5btLfgB5DPfM/+7eNnvkAvR/a7B3Ff+D77hlam+Il66rCyNIQu3kobaWYCWvbhKx8wT w9ul7yhk9nIJrkqxuQnR/XkIZtqasfjYogTHIxUy+4KkppzmDCUtrErCHwEk6v/CEnGd xbv1UNTMtO87kBF5CR8H4xIRCTSE0GDwFFG2w/KmIrSweChR7x/FlQ1LUpZKEYV4b1Fj 9okQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:delivered-to; bh=RfXKJ9WAq1F7CrhjS6nEf20AN8w10RWSz6IEVq0buAE=; b=NDXcDnSXEydl7YpbgSsbLNWIfk3i09E2k/gW0JGzmTPJ1xDbcqhmFm5PRrwxanDvVZ oGFOny26U5JPGRPNzZSuunGmlsYfw47GWt5YcGOnyRMYzd5AX8x/40s/6sWukKKhba+K 4NnF5X3aVOII1zv2HwIV98y0snDpj8eucAVIQr0cWKIvrNGryc1tkiyDoVGAt5hGQMxu ylMLG5ZQlOMYLFLfTnwU/m8sxuXPcRc57mE7dR43guLXEWV9hWTAteeyyPCRCKE1asGI 15nVHPrGdUi0k/K79t2aLnGjh+wvqLy/2eX212MnoihY+UT5gQtk4HjSZLCYZVms/Jh+ JNTw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id z20-20020a170906271400b009267d6857ebsi8374992ejc.952.2023.04.16.09.48.45; Sun, 16 Apr 2023 09:48:46 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D15F268B87F; Sun, 16 Apr 2023 19:48:40 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B55336802DE for ; Sun, 16 Apr 2023 19:48:33 +0300 (EEST) Received: (Authenticated sender: michael@niedermayer.cc) by mail.gandi.net (Postfix) with ESMTPSA id 6EEEC1C0002 for ; Sun, 16 Apr 2023 16:48:32 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Sun, 16 Apr 2023 18:48:20 +0200 Message-Id: <20230416164830.15664-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 Subject: [FFmpeg-devel] [PATCH 01/11] avcodec/adpcm: Fix integer overflow in intermediate in ADPCM_XMD X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: BA0CUrd2Llx3 Fixes: runtime error: signed integer overflow: 2140143616 + 254665816 cannot be represented in type 'int' Fixes: 45982/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_XMD_fuzzer-6690181676924928 As a sideeffect this simplifies the equation, the high bits are different after this but only the low 16bits are stored and used in later steps. The change is untested as there are no fate testcases, no sample files on the server, no links on the mailing list and no reports on trac referencing this format that i could find. Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/adpcm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/adpcm.c b/libavcodec/adpcm.c index 451696932d1..d8f334cf5a0 100644 --- a/libavcodec/adpcm.c +++ b/libavcodec/adpcm.c @@ -1579,11 +1579,11 @@ static int adpcm_decode_frame(AVCodecContext *avctx, AVFrame *frame, nibble[0] = sign_extend(byte & 15, 4); nibble[1] = sign_extend(byte >> 4, 4); - out[2+n*2] = (nibble[0]*(scale<<14) + (history[0]*29336) - (history[1]*13136)) >> 14; + out[2+n*2 ] = nibble[0]*scale + ((history[0]*3667 - history[1]*1642) >> 11); history[1] = history[0]; history[0] = out[2+n*2]; - out[2+n*2+1] = (nibble[1]*(scale<<14) + (history[0]*29336) - (history[1]*13136)) >> 14; + out[2+n*2+1] = nibble[1]*scale + ((history[0]*3667 - history[1]*1642) >> 11); history[1] = history[0]; history[0] = out[2+n*2+1]; }