diff mbox series

[FFmpeg-devel,2/3] avcodec/osq: avoid several signed integer overflows

Message ID 20231226163731.4147-2-michael@niedermayer.cc
State Accepted
Commit b54c9a9c8f44a9272dc0ee3c9f11ce54cba74008
Headers show
Series [FFmpeg-devel,1/3] avcodec/osq: Implement flush() | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer Dec. 26, 2023, 4:37 p.m. UTC 
Fixes: signed integer overflow: 178459578 + 2009763270 cannot be represented in type 'int'
Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-5013423686287360

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/osq.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

Comments

James Almer Dec. 26, 2023, 4:56 p.m. UTC | #1 
On 12/26/2023 1:37 PM, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 178459578 + 2009763270 cannot be represented in type 'int'
> Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-5013423686287360
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>   libavcodec/osq.c | 24 ++++++++++++------------
>   1 file changed, 12 insertions(+), 12 deletions(-)
> 
> diff --git a/libavcodec/osq.c b/libavcodec/osq.c
> index abe15c97f18..f2771c46eb5 100644
> --- a/libavcodec/osq.c
> +++ b/libavcodec/osq.c
> @@ -222,8 +222,8 @@ static int osq_channel_parameters(AVCodecContext *avctx, int ch)
>   #define C (-3)
>   #define D (-4)
>   #define E (-5)
> -#define P2 ((dst[A] + dst[A]) - dst[B])
> -#define P3 ((dst[A] - dst[B]) * 3 + dst[C])
> +#define P2 (((unsigned)dst[A] + dst[A]) - dst[B])
> +#define P3 (((unsigned)dst[A] - dst[B]) * 3 + dst[C])
>   
>   static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int downsample)
>   {
> @@ -273,10 +273,10 @@ static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int
>               case 0:
>                   break;
>               case 1:
> -                dst[n] += dst[A];
> +                dst[n] += (unsigned)dst[A];
>                   break;
>               case 2:
> -                dst[n] += dst[A] + p;
> +                dst[n] += (unsigned)dst[A] + p;
>                   break;
>               case 3:
>                   dst[n] += P2;
> @@ -291,28 +291,28 @@ static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int
>                   dst[n] += P3 + p;
>                   break;
>               case 7:
> -                dst[n] += (P2 + P3) / 2 + p;
> +                dst[n] += (int)(P2 + P3) / 2 + (unsigned)p;

Would 2U work for this? It's shorted and more readable that casts 
everywhere. Same for most cases below.

>                   break;
>               case 8:
> -                dst[n] += (P2 + P3) / 2;
> +                dst[n] += (int)(P2 + P3) / 2;
>                   break;
>               case 9:
> -                dst[n] += (P2 * 2 + P3) / 3 + p;
> +                dst[n] += (int)(P2 * 2 + P3) / 3 + (unsigned)p;
>                   break;
>               case 10:
> -                dst[n] += (P2 + P3 * 2) / 3 + p;
> +                dst[n] += (int)(P2 + P3 * 2) / 3 + (unsigned)p;
>                   break;
>               case 11:
> -                dst[n] += (dst[A] + dst[B]) / 2;
> +                dst[n] += (int)((unsigned)dst[A] + dst[B]) / 2;
>                   break;
>               case 12:
> -                dst[n] += dst[B];
> +                dst[n] += (unsigned)dst[B];
>                   break;
>               case 13:
> -                dst[n] += (dst[D] + dst[B]) / 2;
> +                dst[n] += (int)(unsigned)(dst[D] + dst[B]) / 2;
>                   break;
>               case 14:
> -                dst[n] += (P2 + dst[A]) / 2 + p;
> +                dst[n] += (int)((unsigned)P2 + dst[A]) / 2 + (unsigned)p;
>                   break;
>               default:
>                   return AVERROR_INVALIDDATA;
Michael Niedermayer Dec. 28, 2023, 7:53 p.m. UTC | #2 
On Tue, Dec 26, 2023 at 01:56:31PM -0300, James Almer wrote:
> On 12/26/2023 1:37 PM, Michael Niedermayer wrote:
> > Fixes: signed integer overflow: 178459578 + 2009763270 cannot be represented in type 'int'
> > Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-5013423686287360
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >   libavcodec/osq.c | 24 ++++++++++++------------
> >   1 file changed, 12 insertions(+), 12 deletions(-)
> > 
> > diff --git a/libavcodec/osq.c b/libavcodec/osq.c
> > index abe15c97f18..f2771c46eb5 100644
> > --- a/libavcodec/osq.c
> > +++ b/libavcodec/osq.c
> > @@ -222,8 +222,8 @@ static int osq_channel_parameters(AVCodecContext *avctx, int ch)
> >   #define C (-3)
> >   #define D (-4)
> >   #define E (-5)
> > -#define P2 ((dst[A] + dst[A]) - dst[B])
> > -#define P3 ((dst[A] - dst[B]) * 3 + dst[C])
> > +#define P2 (((unsigned)dst[A] + dst[A]) - dst[B])
> > +#define P3 (((unsigned)dst[A] - dst[B]) * 3 + dst[C])
> >   static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int downsample)
> >   {
> > @@ -273,10 +273,10 @@ static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int
> >               case 0:
> >                   break;
> >               case 1:
> > -                dst[n] += dst[A];
> > +                dst[n] += (unsigned)dst[A];
> >                   break;
> >               case 2:
> > -                dst[n] += dst[A] + p;
> > +                dst[n] += (unsigned)dst[A] + p;
> >                   break;
> >               case 3:
> >                   dst[n] += P2;
> > @@ -291,28 +291,28 @@ static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int
> >                   dst[n] += P3 + p;
> >                   break;
> >               case 7:
> > -                dst[n] += (P2 + P3) / 2 + p;
> > +                dst[n] += (int)(P2 + P3) / 2 + (unsigned)p;
> 
> Would 2U work for this? It's shorted and more readable that casts
> everywhere. Same for most cases below.

unsigned and signed division are different
-1 / 2 == 0
-1 / 2U != 0

thx

[...]
Michael Niedermayer March 26, 2024, 12:16 a.m. UTC | #3 
On Tue, Dec 26, 2023 at 05:37:30PM +0100, Michael Niedermayer wrote:
> Fixes: signed integer overflow: 178459578 + 2009763270 cannot be represented in type 'int'
> Fixes: 62285/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-5013423686287360
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/osq.c | 24 ++++++++++++------------
>  1 file changed, 12 insertions(+), 12 deletions(-)

will apply this and patch 3

[...]
diff mbox series

Patch

diff --git a/libavcodec/osq.c b/libavcodec/osq.c
index abe15c97f18..f2771c46eb5 100644
--- a/libavcodec/osq.c
+++ b/libavcodec/osq.c
@@ -222,8 +222,8 @@  static int osq_channel_parameters(AVCodecContext *avctx, int ch)
 #define C (-3)
 #define D (-4)
 #define E (-5)
-#define P2 ((dst[A] + dst[A]) - dst[B])
-#define P3 ((dst[A] - dst[B]) * 3 + dst[C])
+#define P2 (((unsigned)dst[A] + dst[A]) - dst[B])
+#define P3 (((unsigned)dst[A] - dst[B]) * 3 + dst[C])
 
 static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int downsample)
 {
@@ -273,10 +273,10 @@  static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int
             case 0:
                 break;
             case 1:
-                dst[n] += dst[A];
+                dst[n] += (unsigned)dst[A];
                 break;
             case 2:
-                dst[n] += dst[A] + p;
+                dst[n] += (unsigned)dst[A] + p;
                 break;
             case 3:
                 dst[n] += P2;
@@ -291,28 +291,28 @@  static int do_decode(AVCodecContext *avctx, AVFrame *frame, int decorrelate, int
                 dst[n] += P3 + p;
                 break;
             case 7:
-                dst[n] += (P2 + P3) / 2 + p;
+                dst[n] += (int)(P2 + P3) / 2 + (unsigned)p;
                 break;
             case 8:
-                dst[n] += (P2 + P3) / 2;
+                dst[n] += (int)(P2 + P3) / 2;
                 break;
             case 9:
-                dst[n] += (P2 * 2 + P3) / 3 + p;
+                dst[n] += (int)(P2 * 2 + P3) / 3 + (unsigned)p;
                 break;
             case 10:
-                dst[n] += (P2 + P3 * 2) / 3 + p;
+                dst[n] += (int)(P2 + P3 * 2) / 3 + (unsigned)p;
                 break;
             case 11:
-                dst[n] += (dst[A] + dst[B]) / 2;
+                dst[n] += (int)((unsigned)dst[A] + dst[B]) / 2;
                 break;
             case 12:
-                dst[n] += dst[B];
+                dst[n] += (unsigned)dst[B];
                 break;
             case 13:
-                dst[n] += (dst[D] + dst[B]) / 2;
+                dst[n] += (int)(unsigned)(dst[D] + dst[B]) / 2;
                 break;
             case 14:
-                dst[n] += (P2 + dst[A]) / 2 + p;
+                dst[n] += (int)((unsigned)P2 + dst[A]) / 2 + (unsigned)p;
                 break;
             default:
                 return AVERROR_INVALIDDATA;