From patchwork Wed Aug  2 11:31:06 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: kobrineli <kobrineli@ispras.ru>
X-Patchwork-Id: 43090
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:c11f:b0:130:ccc6:6c4b with SMTP id
 bh31csp581331pzb;
        Wed, 2 Aug 2023 04:31:23 -0700 (PDT)
X-Google-Smtp-Source: 
 APBJJlHaRIa6gqIuDzfkMXnDaQ0WuNcBodEzS1CKttTLy0k04f/GeVGYEP26DElxkCHqac1EwxZB
X-Received: by 2002:ac2:4da1:0:b0:4fe:8c4:44f4 with SMTP id
 h1-20020ac24da1000000b004fe08c444f4mr4442411lfe.62.1690975883330;
        Wed, 02 Aug 2023 04:31:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690975883; cv=none;
        d=google.com; s=arc-20160816;
        b=VejgFLLICQYIWcUsZ9Fq7Vg9LSDC41WSHNoLpB2ypho1+Bs5Xzz/g/wMoKmMp4HWLU
         C4cXSH0AjPkjy9pbs7ja9R7D9auRa4Ns+q5fIoMInZ5gtt1H79JlT3Y9LwXEwMg3LlE9
         nrc7NTdNLK6qVQBA0woBeMb89eBgOv1bREu6gwypn5rCMut22rje1kgBRbn4SEHudU7+
         TR108VbynTG0N52iwOp3TMF7VLT+jvWd0pTkacyeCdjQ2Ipmh0CJNWwV/VafIvz506ng
         bAYeaLf6DEkn7ojIcq723j3Hs/GTLK16ie74tNfaRTZgHZEuvqinGALfk9ke3QAkKUuc
         8Qeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:cc:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:libswresample:mime-version:message-id
         :date:to:from:dkim-signature:dkim-filter:delivered-to;
        bh=7Cw4twA4txKIrBYXcW7xwk71c7VekCXX6CCfN6TNhbs=;
        fh=ibdlRJL7hPsX7vyGZAgmrkUlV+OlDJERNwSvIOcS0Zs=;
        b=LTDxutI2MDFdM2ZRZtP2hMV4kbEMSiKM9LQ0vYIyK4a7fon6aMcWRXIiqzdHkYFmUq
         3fGAJstFkIrcEjydvwIlVLQ3fXnap0IX4aQ5w93wRAMjSz8eS1BLE+Fg/f0MLL1+mcj8
         +GY2pa20fRgt4e3gE0dXXj5kmb9iuWY8qxOuz5YC0c3kjTNDLxDToM7/DFUkFmNVDGaF
         zsHrlUZCRT0w5YPKWZ5VVTuVc8qGNoJO812MkH4VQTAalUPQ8z2fdO8D8w0wxsA0h3k9
         3ucwT6ZfmkoOhx7CEBuez3JxcDbmYS/OlEDF2XY7tS4+2FFr9iGjHzQNCpqmquNomH0d
         roIg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@ispras.ru
 header.s=default header.b=MGoIlUOM;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 j9-20020a50ed09000000b0051e16fd4d9asi9304147eds.223.2023.08.02.04.31.22;
        Wed, 02 Aug 2023 04:31:23 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@ispras.ru
 header.s=default header.b=MGoIlUOM;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 782F768C5FB;
	Wed,  2 Aug 2023 14:31:19 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5F13468C199
 for <ffmpeg-devel@ffmpeg.org>; Wed,  2 Aug 2023 14:31:12 +0300 (EEST)
Received: from madara.intra.ispras.ru (unknown [10.10.34.59])
 by mail.ispras.ru (Postfix) with ESMTPSA id 9768140F1DE0;
 Wed,  2 Aug 2023 11:31:11 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 9768140F1DE0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru;
 s=default; t=1690975871;
 bh=se7u/34GVBg8JowTwj0Q0c/QoaN2re6cB+E2pA14nmw=;
 h=From:To:Cc:Subject:Date:From;
 b=MGoIlUOMAI2GxHpeY5ZlMvOyu4uWVgV7XJEWn1TqrlNylBxkFneLBaleBCUwJn5Oc
 vvt6EszpIdrgAk/hACACRA/i3vBeP3ob6/o4jACXtMYrhNX/1DbsGX6pmYy1+QI4or
 F5U/WVFCdM5/boLXM84KqGSa+xqdAz2btSqrVoIY=
From: kobrineli <kobrineli@ispras.ru>
To: ffmpeg-devel@ffmpeg.org
Date: Wed,  2 Aug 2023 14:31:06 +0300
Message-Id: <20230802113106.1138555-1-kobrineli@ispras.ru>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
libswresample: Prevent out of bounds
Subject: [FFmpeg-devel] [PATCH] libswresample: Prevent out of bounds.
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Eli Kobrin <kobrineli@ispras.ru>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: WzOTv/c9EwVj

From: Eli Kobrin <kobrineli@ispras.ru>

We've been fuzzing torchvision with [sydr-fuzz](https://github.com/ispras/oss-sydr-fuzz)
and found out of bounds error in ffmpeg project at audioconvert.c:51.
To prevent error we need to insert corresponding check and fix checks
for in and out fmt in swr_init.

Signed-off-by: Eli Kobrin <kobrineli@ispras.ru>
---
 libswresample/audioconvert.c | 7 ++++++-
 libswresample/swresample.c   | 4 ++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/libswresample/audioconvert.c b/libswresample/audioconvert.c
index 1d75ba1495..701f4808a0 100644
--- a/libswresample/audioconvert.c
+++ b/libswresample/audioconvert.c
@@ -148,7 +148,12 @@ AudioConvert *swri_audio_convert_alloc(enum AVSampleFormat out_fmt,
                                        int flags)
 {
     AudioConvert *ctx;
-    conv_func_type *f = fmt_pair_to_conv_functions[av_get_packed_sample_fmt(out_fmt) + AV_SAMPLE_FMT_NB*av_get_packed_sample_fmt(in_fmt)];
+
+    size_t idx = av_get_packed_sample_fmt(out_fmt) + AV_SAMPLE_FMT_NB * av_get_packed_sample_fmt(in_fmt);
+    if (idx >= AV_SAMPLE_FMT_NB * AV_SAMPLE_FMT_NB)
+        return NULL;
+
+    conv_func_type *f = fmt_pair_to_conv_functions[idx];
 
     if (!f)
         return NULL;
diff --git a/libswresample/swresample.c b/libswresample/swresample.c
index 6dc329a9d0..b7cab36710 100644
--- a/libswresample/swresample.c
+++ b/libswresample/swresample.c
@@ -196,11 +196,11 @@ av_cold int swr_init(struct SwrContext *s){
 
     clear_context(s);
 
-    if(s-> in_sample_fmt >= AV_SAMPLE_FMT_NB){
+    if(s-> in_sample_fmt >= AV_SAMPLE_FMT_NB || s-> in_sample_fmt < 0){
         av_log(s, AV_LOG_ERROR, "Requested input sample format %d is invalid\n", s->in_sample_fmt);
         return AVERROR(EINVAL);
     }
-    if(s->out_sample_fmt >= AV_SAMPLE_FMT_NB){
+    if(s->out_sample_fmt >= AV_SAMPLE_FMT_NB || s->out_sample_fmt < 0){
         av_log(s, AV_LOG_ERROR, "Requested output sample format %d is invalid\n", s->out_sample_fmt);
         return AVERROR(EINVAL);
     }