From patchwork Tue Apr 25 18:38:13 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 41324
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:dca6:b0:f3:34fa:f187 with SMTP id
 ky38csp2452211pzb;
        Tue, 25 Apr 2023 11:38:27 -0700 (PDT)
X-Google-Smtp-Source: 
 AKy350ZkD0vi0cW+mLB563v0sy+ExPz9IrRh/3v9Vl7KIX3ovVwkkB/bOkISSOoGQKlP1OgPNmUV
X-Received: by 2002:a17:906:12:b0:94e:6edc:71bc with SMTP id
 18-20020a170906001200b0094e6edc71bcmr14059021eja.25.1682447907581;
        Tue, 25 Apr 2023 11:38:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1682447907; cv=none;
        d=google.com; s=arc-20160816;
        b=NdVCoU34AEXbMEBABPlHi8eqqSTmFdEEhqCw2eH9wsG6YyopRG+8TnoBovEYYqDrZj
         a7aw44HZXA0OrprWymslCNR6hHv0CoGNOub3nYSilwEWskBRuIhu+r7hRztlwnEiC1BF
         1YGyqc/gW7Icjd+xEBhWOUezZejA6jJaUofqKyPRn5STegoLIdQMckXU1W/iLkWtggln
         HiDKnOmghVwd2IzxLs+GOnckr0MSjB9ph7jWalDKEhSJSz6qpMfS3DCxIPeYasn8NgY2
         8LA2HIioglkOQvUSB0UUijmfl/q72ssoAl2SDP4M1ooCsH7vzho8f6/JCTgvY0P1YM3Y
         QX3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:mime-version:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:message-id:date:to:from:delivered-to;
        bh=L6eswHTA4ZmN4oO55z7I6OkFDc4gkTED/lkMfkmO7zo=;
        b=NVLmhdE1gdFk/ahaBxOKll6qTaIjDXc/s4SKZJkFkWq8BmXtmXCuXVQcPfk3qK+97v
         MB0J6/aCj2UUz6N+xPPNyIa8Q7dB9e+szOs0o8C2AbwA1i3lffj8LJZs9ZCiAhuY4eUO
         9pWNFbjK3JhV7B+sKuVDSxXeqjTLwAyfFTk2C6xIjQjGMWnNRRViiOlbpZUxjCEgv2lY
         YOJk/KFB6Ofx/9UNzB8n7c3YJMIUVZ4VSsg73SDZwZkOkOkakJAqENHrpCzPQ1ZjfXdK
         nletiVm1JZ80wD05dMZibpdh0n0yz7RBruyd7CQZpZNQV/63qQMVXPkK2xfirEVitKVe
         Ib1Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 j2-20020a170906474200b0094efb4f4271si11775115ejs.434.2023.04.25.11.38.27;
        Tue, 25 Apr 2023 11:38:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id DD9A068BF7A;
	Tue, 25 Apr 2023 21:38:23 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net
 [217.70.183.195])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3DFB168BA82
 for <ffmpeg-devel@ffmpeg.org>; Tue, 25 Apr 2023 21:38:17 +0300 (EEST)
Received: (Authenticated sender: michael@niedermayer.cc)
 by mail.gandi.net (Postfix) with ESMTPSA id 27EF760008
 for <ffmpeg-devel@ffmpeg.org>; Tue, 25 Apr 2023 18:38:15 +0000 (UTC)
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue, 25 Apr 2023 20:38:13 +0200
Message-Id: <20230425183814.18486-1-michael@niedermayer.cc>
X-Mailer: git-send-email 2.17.1
Subject: [FFmpeg-devel] [PATCH 1/2] avcodec/wavarc: Fix k limit
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: VxDOmaK7OfDb

The implementation does not support k=32

Fixes: shift exponent 32 is too large for 32-bit type 'unsigned int'
Fixes: 57976/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_WAVARC_fuzzer-5911925807775744

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/wavarc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavcodec/wavarc.c b/libavcodec/wavarc.c
index 827803c91d..312e4beb7f 100644
--- a/libavcodec/wavarc.c
+++ b/libavcodec/wavarc.c
@@ -192,7 +192,7 @@ static int decode_1dif(AVCodecContext *avctx,
         if (block_type < 4 && block_type >= 0) {
             k = 1 + (avctx->sample_fmt == AV_SAMPLE_FMT_S16P);
             k = get_urice(gb, k) + 1;
-            if (k > 32)
+            if (k >= 32)
                 return AVERROR_INVALIDDATA;
         }
 
@@ -284,7 +284,7 @@ static int decode_2slp(AVCodecContext *avctx,
         if (block_type < 5 && block_type >= 0) {
             k = 1 + (avctx->sample_fmt == AV_SAMPLE_FMT_S16P);
             k = get_urice(gb, k) + 1;
-            if (k > 32)
+            if (k >= 32)
                 return AVERROR_INVALIDDATA;
         }