[FFmpeg-trac] #8312(undetermined:new): signed integer overflow at libavcodec/elbg.c

FFmpeg trac at avcodec.org
Sat Oct 19 10:01:48 EEST 2019


#8312: signed integer overflow at libavcodec/elbg.c
-------------------------------------+-------------------------------------
             Reporter:  Suhwan       |                     Type:  defect
               Status:  new          |                 Priority:  normal
            Component:               |                  Version:  git-
  undetermined                       |  master
             Keywords:  ubsan        |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Summary of the bug:
 There're 3 signed integer overflow at libavcodec/elbg.c

 I compiled ffmpeg with "--toolchain=clang-usan" to check the undefined-
 behaviours and attached log file.
 How to reproduce:
 {{{
 % ffmpeg_g -y -i $PoC1 -i $PoC2 -target dvd -loglevel 0 -psnr -vbsf null
 -c cinepak tmp.pmp

 ffmpeg version N-95458-g9f023017ab Copyright (c) 2000-2019 the FFmpeg
 developers
 built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
 configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug
 --toolchain=clang-usan
 }}}

 Here's UBSAN log

 {{{
 libavcodec/elbg.c:426:25: runtime error: signed integer overflow:
 2147476432 + 25361 cannot be represented in type 'int'

 Thread 1 "ffmpeg_g" hit Breakpoint 1, 0x00000000004288b0 in
 __ubsan::ScopedReport::~ScopedReport() ()
 (gdb) bt
 #0  0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
 #1  0x000000000042b0eb in void
 handleIntegerOverflowImpl<__ubsan::Value>(__ubsan::OverflowData*, unsigned
 long, char const*, __ubsan::Value, __ubsan::ReportOptions) ()
 #2  0x000000000042c8bf in __ubsan_handle_add_overflow ()
 #3  0x0000000001fc56cd in avpriv_do_elbg (points=<optimized out>, dim=6,
 numpoints=103680, codebook=<optimized out>,
     numCB=<optimized out>, max_steps=1, closest_cb=0x7ffff438b040,
 rand_state=0x93c4cf8) at libavcodec/elbg.c:426
 #4  0x0000000001d57065 in quantize (s=<optimized out>, h=<optimized out>,
 data=<optimized out>, linesize=<optimized out>,
     v1mode=<optimized out>, info=<optimized out>, encoding=<optimized
 out>) at libavcodec/cinepakenc.c:781
 #5  0x0000000001d52b71 in rd_strip (y=0, s=<optimized out>, h=<optimized
 out>, keyframe=<optimized out>, last_data=<optimized out>,
     last_linesize=<optimized out>, data=<optimized out>,
 linesize=<optimized out>, scratch_data=<optimized out>,
     scratch_linesize=<optimized out>, buf=<optimized out>,
 best_score=<optimized out>) at libavcodec/cinepakenc.c:920
 #6  rd_frame (s=<optimized out>, frame=<optimized out>,
 isakeyframe=<optimized out>, buf=<optimized out>, buf_size=0)
     at libavcodec/cinepakenc.c:1101
 #7  0x0000000001d50742 in cinepak_encode_frame (avctx=<optimized out>,
 pkt=<optimized out>, frame=<optimized out>,
     got_packet=0x7fffffffc164) at libavcodec/cinepakenc.c:1162
 #8  0x0000000001fd2adf in avcodec_encode_video2 (avctx=0x93c4800,
 avpkt=<optimized out>, frame=<optimized out>,
     got_packet_ptr=0x7fffffffc164) at libavcodec/encode.c:302
 #9  0x0000000001fd4810 in do_encode (avctx=0x93c4800, frame=0x93dfe80,
 got_packet=0x7fffffffc164) at libavcodec/encode.c:371
 #10 0x0000000001fd438a in avcodec_send_frame (avctx=0x93c4800,
 frame=0x93dfe80) at libavcodec/encode.c:420
 #11 0x00000000004c51f8 in do_video_out (of=0x93b91c0, ost=<optimized out>,
 next_picture=<optimized out>,
     sync_ipts=4.9406564584124654e-324) at fftools/ffmpeg.c:1287
 #12 0x00000000004c0f2b in reap_filters (flush=0) at fftools/ffmpeg.c:1504
 #13 0x000000000048d682 in transcode_step () at fftools/ffmpeg.c:4638
 #14 transcode () at fftools/ffmpeg.c:4682
 #15 0x0000000000487dc4 in main (argc=34, argv=<optimized out>) at
 fftools/ffmpeg.c:4884
 (gdb) c
 Continuing.
 libavcodec/elbg.c:427:48: runtime error: signed integer overflow:
 2147476432 + 25361 cannot be represented in type 'int'

 Thread 1 "ffmpeg_g" hit Breakpoint 1, 0x00000000004288b0 in
 __ubsan::ScopedReport::~ScopedReport() ()
 (gdb) bt
 #0  0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
 #1  0x000000000042b0eb in void
 handleIntegerOverflowImpl<__ubsan::Value>(__ubsan::OverflowData*, unsigned
 long, char const*, __ubsan::Value, __ubsan::ReportOptions) ()
 #2  0x000000000042c8bf in __ubsan_handle_add_overflow ()
 #3  0x0000000001fc54b1 in avpriv_do_elbg (points=<optimized out>, dim=6,
 numpoints=103680, codebook=<optimized out>,
     numCB=<optimized out>, max_steps=1, closest_cb=0x7ffff438b040,
 rand_state=0x93c4cf8) at libavcodec/elbg.c:427
 #4  0x0000000001d57065 in quantize (s=<optimized out>, h=<optimized out>,
 data=<optimized out>, linesize=<optimized out>,
     v1mode=<optimized out>, info=<optimized out>, encoding=<optimized
 out>) at libavcodec/cinepakenc.c:781
 #5  0x0000000001d52b71 in rd_strip (y=0, s=<optimized out>, h=<optimized
 out>, keyframe=<optimized out>, last_data=<optimized out>,
     last_linesize=<optimized out>, data=<optimized out>,
 linesize=<optimized out>, scratch_data=<optimized out>,
     scratch_linesize=<optimized out>, buf=<optimized out>,
 best_score=<optimized out>) at libavcodec/cinepakenc.c:920
 #6  rd_frame (s=<optimized out>, frame=<optimized out>,
 isakeyframe=<optimized out>, buf=<optimized out>, buf_size=0)
     at libavcodec/cinepakenc.c:1101
 #7  0x0000000001d50742 in cinepak_encode_frame (avctx=<optimized out>,
 pkt=<optimized out>, frame=<optimized out>,
     got_packet=0x7fffffffc164) at libavcodec/cinepakenc.c:1162
 #8  0x0000000001fd2adf in avcodec_encode_video2 (avctx=0x93c4800,
 avpkt=<optimized out>, frame=<optimized out>,
     got_packet_ptr=0x7fffffffc164) at libavcodec/encode.c:302
 #9  0x0000000001fd4810 in do_encode (avctx=0x93c4800, frame=0x93dfe80,
 got_packet=0x7fffffffc164) at libavcodec/encode.c:371
 #10 0x0000000001fd438a in avcodec_send_frame (avctx=0x93c4800,
 frame=0x93dfe80) at libavcodec/encode.c:420
 #11 0x00000000004c51f8 in do_video_out (of=0x93b91c0, ost=<optimized out>,
 next_picture=<optimized out>,
     sync_ipts=4.9406564584124654e-324) at fftools/ffmpeg.c:1287
 #12 0x00000000004c0f2b in reap_filters (flush=0) at fftools/ffmpeg.c:1504
 #13 0x000000000048d682 in transcode_step () at fftools/ffmpeg.c:4638
 #14 transcode () at fftools/ffmpeg.c:4682
 #15 0x0000000000487dc4 in main (argc=34, argv=<optimized out>) at
 fftools/ffmpeg.c:4884
 (gdb) c
 Continuing.
 libavcodec/elbg.c:451:26: runtime error: signed integer overflow:
 2147483647 - -1719047551 cannot be represented in type 'int'

 Thread 1 "ffmpeg_g" hit Breakpoint 1, 0x00000000004288b0 in
 __ubsan::ScopedReport::~ScopedReport() ()

 }}}
 Please confirm.
 Thanks

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8312>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list