[FFmpeg-trac] #8596(avformat:new): UBSan: signed integer overflow in oggdec.c:651

FFmpeg trac at avcodec.org
Thu Apr 2 13:34:03 EEST 2020 

#8596: UBSan: signed integer overflow in oggdec.c:651
-------------------------------------+-------------------------------------
             Reporter:               |                     Type:  defect
  andreafioraldi                     |
               Status:  new          |                 Priority:  normal
            Component:  avformat     |                  Version:  git-
                                     |  master
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Summary of the bug:

 UBSan reports: signed integer overflow: -9223372036854775808 - 10739712
 cannot be represented in type 'long'

 Looks like that s->streams[i]->duration = -9223372036854775808 and
 s->streams[i]->start_time = 10739712.

 Note that -9223372036854775808 is the minimum value for a long, probably
 this value should not be here.

 At line 651 of oggdec.c there is:

 s->streams[i]->duration -= s->streams[i]->start_time;

 This is ofc UB.

 How to reproduce:
 {{{
 % ffmpeg -i id:000750,sig:04,src:005641,time:94391508,op:MOpt_havoc,rep:4
 out.mp3
 ffmpeg version N-97118-gfa164bc50e Copyright (c) 2000-2020 the FFmpeg
 developers
   built with clang version 10.0.0
 (git at github.com:andreafioraldi/ConstrainedMemorySanitizer.git
 5b365c37a959d429121850f6d91ed160d4cdf76f)
   configuration: --cc=clang-10 --cxx=clang++-10
   libavutil      56. 42.102 / 56. 42.102
   libavcodec     58. 77.101 / 58. 77.101
   libavformat    58. 42.100 / 58. 42.100
   libavdevice    58.  9.103 / 58.  9.103
   libavfilter     7. 77.101 /  7. 77.101
   libswscale      5.  6.101 /  5.  6.101
   libswresample   3.  6.100 /  3.  6.100
 [ogg @ 0x61b000000080] Codec not found
 [Vorbis parser @ 0x613000000200] 8 modes (either a false positive or a
 sample from an unknown encoder) is not implemented. Update your FFmpeg
 version to the newest one from Git. If the problem still occurs, it means
 that your file has a feature which has not been implemented.
 [Vorbis parser @ 0x613000000200] If you want to help, upload a sample of
 this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-
 devel mailing list. (ffmpeg-devel at ffmpeg.org)
 [ogg @ 0x61b000000080] invalid pts -72057594037927936
 libavformat/oggdec.c:651:41: runtime error: signed integer overflow:
 -9223372036854775808 - 10739712 cannot be represented in type 'long'
 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
 libavformat/oggdec.c:651:41 in
 [ogg @ 0x61b000000080] New streams are not supposed to be added in between
 Ogg context save/restore operations.
 [ogg @ 0x61b000000080] failed to create or replace stream
 [vorbis @ 0x619000001980] Codebook lookup type not supported.
 [vorbis @ 0x619000001980]  Vorbis setup header packet corrupt (codebooks).
 [vorbis @ 0x619000001980] Setup header corrupt.
 [ogg @ 0x61b000000080] Failed to open codec in avformat_find_stream_info
 [vorbis @ 0x619000001980] Codebook lookup type not supported.
 [vorbis @ 0x619000001980]  Vorbis setup header packet corrupt (codebooks).
 [vorbis @ 0x619000001980] Setup header corrupt.
 [ogg @ 0x61b000000080] Codec not found
     Last message repeated 1 times
 [ogg @ 0x61b000000080] Cannot identify new stream
 [ogg @ 0x61b000000080] failed to create or replace stream
 [ogg @ 0x61b000000080] Could not find codec parameters for stream 1
 (Unknown: none): unknown codec
 Consider increasing the value for the 'analyzeduration' and 'probesize'
 options
 [ogg @ 0x61b000000080] Could not find codec parameters for stream 3
 (Unknown: none): unknown codec
 Consider increasing the value for the 'analyzeduration' and 'probesize'
 options
 [ogg @ 0x61b000000080] Could not find codec parameters for stream 4
 (Unknown: none): unknown codec
 Consider increasing the value for the 'analyzeduration' and 'probesize'
 options
 Guessed Channel Layout for Input Stream #0.2 : stereo
 Input #0, ogg, from
 'output/a1/crashes/id:000750,sig:04,src:005641,time:94391508,op:MOpt_havoc,rep:4':
   Duration: 00:00:00.02, start: 2062753000.640726, bitrate: 1679 kb/s
     Stream #0:0: Data: none
     Stream #0:1: Unknown: none
     Stream #0:2: Audio: vorbis, 44100 Hz, stereo, fltp, 79 kb/s
     Metadata:
       ENCODER         : ff
                       : Z���ޙeora 0.10.R
     Stream #0:3: Unknown: none
     Stream #0:4: Unknown: none
 Automatic encoder selection failed for output stream #0:0. Default encoder
 for format mp3 (codec mp3) is probably disabled. Please choose an encoder
 manually.
 Error selecting an encoder for stream 0:0

 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8596>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list