[FFmpeg-devel] [PATCH] avcodec/mjpegdec: Fixes runtime error: signed integer overflow: -24543 * 2031616 cannot be represented in type 'int'

Michael Niedermayer michael at niedermayer.cc
Sun Mar 26 20:16:26 EEST 2017


On Sun, Mar 26, 2017 at 06:51:11PM +0200, wm4 wrote:
> On Sun, 26 Mar 2017 18:11:01 +0200
> Michael Niedermayer <michael at niedermayer.cc> wrote:
> 
> > Fixes: 943/clusterfuzz-testcase-5114865297391616
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> >  libavcodec/mjpegdec.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
> > index f26e8a3f9a..e08b045fe7 100644
> > --- a/libavcodec/mjpegdec.c
> > +++ b/libavcodec/mjpegdec.c
> > @@ -757,7 +757,8 @@ static int decode_block_progressive(MJpegDecodeContext *s, int16_t *block,
> >                                      uint16_t *quant_matrix,
> >                                      int ss, int se, int Al, int *EOBRUN)
> >  {
> > -    int code, i, j, level, val, run;
> > +    int code, i, j, val, run;
> > +    SUINT level;
> >  
> >      if (*EOBRUN) {
> >          (*EOBRUN)--;
> 
> Please make the type either signed or unsigned. Making it both
> (depending on the debug level) just to make the fuzzer happy (or
> something more complicated than that?) isn't a good idea. You probably
> want to make it always unsigned?

No, i want to make it SUINT

If it is always unsigned then its not possible to detect overflows
without explicitly checking for overflows.
If it is SUINT then ubsan can be used to detect overflows, this is
usefull to test files showing artifacts but no decode errors.


[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

I am the wisest man alive, for I know one thing, and that is that I know
nothing. -- Socrates
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20170326/fced82a6/attachment.sig>


More information about the ffmpeg-devel mailing list