[FFmpeg-trac] #8312(undetermined:new): signed integer overflow at libavcodec/elbg.c
FFmpeg
trac at avcodec.org
Sat Oct 19 10:01:48 EEST 2019
#8312: signed integer overflow at libavcodec/elbg.c
-------------------------------------+-------------------------------------
Reporter: Suhwan | Type: defect
Status: new | Priority: normal
Component: | Version: git-
undetermined | master
Keywords: ubsan | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Summary of the bug:
There're 3 signed integer overflow at libavcodec/elbg.c
I compiled ffmpeg with "--toolchain=clang-usan" to check the undefined-
behaviours and attached log file.
How to reproduce:
{{{
% ffmpeg_g -y -i $PoC1 -i $PoC2 -target dvd -loglevel 0 -psnr -vbsf null
-c cinepak tmp.pmp
ffmpeg version N-95458-g9f023017ab Copyright (c) 2000-2019 the FFmpeg
developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug
--toolchain=clang-usan
}}}
Here's UBSAN log
{{{
libavcodec/elbg.c:426:25: runtime error: signed integer overflow:
2147476432 + 25361 cannot be represented in type 'int'
Thread 1 "ffmpeg_g" hit Breakpoint 1, 0x00000000004288b0 in
__ubsan::ScopedReport::~ScopedReport() ()
(gdb) bt
#0 0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
#1 0x000000000042b0eb in void
handleIntegerOverflowImpl<__ubsan::Value>(__ubsan::OverflowData*, unsigned
long, char const*, __ubsan::Value, __ubsan::ReportOptions) ()
#2 0x000000000042c8bf in __ubsan_handle_add_overflow ()
#3 0x0000000001fc56cd in avpriv_do_elbg (points=<optimized out>, dim=6,
numpoints=103680, codebook=<optimized out>,
numCB=<optimized out>, max_steps=1, closest_cb=0x7ffff438b040,
rand_state=0x93c4cf8) at libavcodec/elbg.c:426
#4 0x0000000001d57065 in quantize (s=<optimized out>, h=<optimized out>,
data=<optimized out>, linesize=<optimized out>,
v1mode=<optimized out>, info=<optimized out>, encoding=<optimized
out>) at libavcodec/cinepakenc.c:781
#5 0x0000000001d52b71 in rd_strip (y=0, s=<optimized out>, h=<optimized
out>, keyframe=<optimized out>, last_data=<optimized out>,
last_linesize=<optimized out>, data=<optimized out>,
linesize=<optimized out>, scratch_data=<optimized out>,
scratch_linesize=<optimized out>, buf=<optimized out>,
best_score=<optimized out>) at libavcodec/cinepakenc.c:920
#6 rd_frame (s=<optimized out>, frame=<optimized out>,
isakeyframe=<optimized out>, buf=<optimized out>, buf_size=0)
at libavcodec/cinepakenc.c:1101
#7 0x0000000001d50742 in cinepak_encode_frame (avctx=<optimized out>,
pkt=<optimized out>, frame=<optimized out>,
got_packet=0x7fffffffc164) at libavcodec/cinepakenc.c:1162
#8 0x0000000001fd2adf in avcodec_encode_video2 (avctx=0x93c4800,
avpkt=<optimized out>, frame=<optimized out>,
got_packet_ptr=0x7fffffffc164) at libavcodec/encode.c:302
#9 0x0000000001fd4810 in do_encode (avctx=0x93c4800, frame=0x93dfe80,
got_packet=0x7fffffffc164) at libavcodec/encode.c:371
#10 0x0000000001fd438a in avcodec_send_frame (avctx=0x93c4800,
frame=0x93dfe80) at libavcodec/encode.c:420
#11 0x00000000004c51f8 in do_video_out (of=0x93b91c0, ost=<optimized out>,
next_picture=<optimized out>,
sync_ipts=4.9406564584124654e-324) at fftools/ffmpeg.c:1287
#12 0x00000000004c0f2b in reap_filters (flush=0) at fftools/ffmpeg.c:1504
#13 0x000000000048d682 in transcode_step () at fftools/ffmpeg.c:4638
#14 transcode () at fftools/ffmpeg.c:4682
#15 0x0000000000487dc4 in main (argc=34, argv=<optimized out>) at
fftools/ffmpeg.c:4884
(gdb) c
Continuing.
libavcodec/elbg.c:427:48: runtime error: signed integer overflow:
2147476432 + 25361 cannot be represented in type 'int'
Thread 1 "ffmpeg_g" hit Breakpoint 1, 0x00000000004288b0 in
__ubsan::ScopedReport::~ScopedReport() ()
(gdb) bt
#0 0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
#1 0x000000000042b0eb in void
handleIntegerOverflowImpl<__ubsan::Value>(__ubsan::OverflowData*, unsigned
long, char const*, __ubsan::Value, __ubsan::ReportOptions) ()
#2 0x000000000042c8bf in __ubsan_handle_add_overflow ()
#3 0x0000000001fc54b1 in avpriv_do_elbg (points=<optimized out>, dim=6,
numpoints=103680, codebook=<optimized out>,
numCB=<optimized out>, max_steps=1, closest_cb=0x7ffff438b040,
rand_state=0x93c4cf8) at libavcodec/elbg.c:427
#4 0x0000000001d57065 in quantize (s=<optimized out>, h=<optimized out>,
data=<optimized out>, linesize=<optimized out>,
v1mode=<optimized out>, info=<optimized out>, encoding=<optimized
out>) at libavcodec/cinepakenc.c:781
#5 0x0000000001d52b71 in rd_strip (y=0, s=<optimized out>, h=<optimized
out>, keyframe=<optimized out>, last_data=<optimized out>,
last_linesize=<optimized out>, data=<optimized out>,
linesize=<optimized out>, scratch_data=<optimized out>,
scratch_linesize=<optimized out>, buf=<optimized out>,
best_score=<optimized out>) at libavcodec/cinepakenc.c:920
#6 rd_frame (s=<optimized out>, frame=<optimized out>,
isakeyframe=<optimized out>, buf=<optimized out>, buf_size=0)
at libavcodec/cinepakenc.c:1101
#7 0x0000000001d50742 in cinepak_encode_frame (avctx=<optimized out>,
pkt=<optimized out>, frame=<optimized out>,
got_packet=0x7fffffffc164) at libavcodec/cinepakenc.c:1162
#8 0x0000000001fd2adf in avcodec_encode_video2 (avctx=0x93c4800,
avpkt=<optimized out>, frame=<optimized out>,
got_packet_ptr=0x7fffffffc164) at libavcodec/encode.c:302
#9 0x0000000001fd4810 in do_encode (avctx=0x93c4800, frame=0x93dfe80,
got_packet=0x7fffffffc164) at libavcodec/encode.c:371
#10 0x0000000001fd438a in avcodec_send_frame (avctx=0x93c4800,
frame=0x93dfe80) at libavcodec/encode.c:420
#11 0x00000000004c51f8 in do_video_out (of=0x93b91c0, ost=<optimized out>,
next_picture=<optimized out>,
sync_ipts=4.9406564584124654e-324) at fftools/ffmpeg.c:1287
#12 0x00000000004c0f2b in reap_filters (flush=0) at fftools/ffmpeg.c:1504
#13 0x000000000048d682 in transcode_step () at fftools/ffmpeg.c:4638
#14 transcode () at fftools/ffmpeg.c:4682
#15 0x0000000000487dc4 in main (argc=34, argv=<optimized out>) at
fftools/ffmpeg.c:4884
(gdb) c
Continuing.
libavcodec/elbg.c:451:26: runtime error: signed integer overflow:
2147483647 - -1719047551 cannot be represented in type 'int'
Thread 1 "ffmpeg_g" hit Breakpoint 1, 0x00000000004288b0 in
__ubsan::ScopedReport::~ScopedReport() ()
}}}
Please confirm.
Thanks
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8312>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list