[FFmpeg-trac] #8487(avcodec:open): UBSan: left shift of negative value
FFmpeg
trac at avcodec.org
Sun Jan 19 14:58:42 EET 2020
#8487: UBSan: left shift of negative value
-------------------------------------+-------------------------------------
Reporter: | Owner:
andreafioraldi |
Type: defect | Status: open
Priority: minor | Component: avcodec
Version: git-master | Resolution:
Keywords: adpcm ubsan | Blocked By:
Blocking: | Reproduced by developer: 1
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Changes (by cehoyos):
* status: new => open
* priority: normal => minor
* version: 4.2 => git-master
* keywords: ubsan => adpcm ubsan
* reproduced: 0 => 1
Old description:
> Build ffmpeg 4.2.2 using clang and ubsan (-fsanitize=undefined).
> Command line: ./ffmpeg.ubsan -y -i ./input -c:v mpeg4 -c:a out.mp4
> Output:
> -----------------------------------------------------------------------------
> ffmpeg version 4.2.2 Copyright (c) 2000-2019 the FFmpeg developers
> built with clang version 8.0.0-3~ubuntu18.04.2 (tags/RELEASE_800/final)
> configuration: --cc=clang-8 --cxx=clang++-8 --ld=clang-8
> libavutil 56. 31.100 / 56. 31.100
> libavcodec 58. 54.100 / 58. 54.100
> libavformat 58. 29.100 / 58. 29.100
> libavdevice 58. 8.100 / 58. 8.100
> libavfilter 7. 57.100 / 7. 57.100
> libswscale 5. 5.100 / 5. 5.100
> libswresample 3. 5.100 / 3. 5.100
> Trailing options were found on the commandline.
> [ea_cdata @ 0x902f600] Format ea_cdata detected only with low score of
> 12, misdetection possible!
> Ignoring attempt to set invalid timebase 1/0 for st:0
> libavcodec/adpcm.c:1415:50: runtime error: left shift of negative value
> -2
> libavcodec/adpcm.c:1411:55: runtime error: left shift of negative value
> -1
> [ea_cdata @ 0x902f600] decoding for stream 0 failed
> [ea_cdata @ 0x902f600] Could not find codec parameters for stream 0
> (Audio: adpcm_ea_xas, 1 channels, s16p): unspecified sample rate
> Consider increasing the value for the 'analyzeduration' and 'probesize'
> options
> Guessed Channel Layout for Input Stream #0.0 : mono
> Input #0, ea_cdata, from
> './ffmpeg_ubsan_out/f1/crashes/id:000013,sig:04,src:001011+001703,time:2202546,op:splice,rep:16':
> Duration: N/A, start: 0.000000, bitrate: N/A
> Stream #0:0: Audio: adpcm_ea_xas, mono, s16p
> At least one output file must be specified
> -----------------------------------------------------------------------------
>
> Look at:
>
> case AV_CODEC_ID_ADPCM_EA_XAS:
> for (channel=0; channel<avctx->channels; channel++) {
> ...
> val = sign_extend(bytestream2_get_le16u(&gb), 16);
> shift[n] = 20 - (val & 0x0F);
> ...
> }
>
> for (m=2; m<32; m+=2) {
> ...
> for (n = 0; n < 4; n++, s += 32) {
> ..
> level = sign_extend(byte >> 4, 4) << shift[n]; //line
> 1415
> ...
> }
> }
> }
>
> This bug really does not make sense to me, val is controlled but the 0x0f
> mask should prevent to have a negative shift[n] value.
> UBSan has no false positives, so there is a bug indeed, but I don't
> understand why.
> Maybe there is something really bad with n indexes or some shady clang
> optimization that assumed bad things.
>
> I attach a file to reproduce the issue in base64:
> BAAAAABQX0UvBf//Bf93/3wIAAAAKAAAABBFMDAAABAATjs0MP93/1NBVUNFKTBtTncIAAAAE15BVV9FLzAMRm7/d/93B+4AACgAAABiRTAlOzQwbU47NCBtTgA=
New description:
Build ffmpeg 4.2.2 using clang and ubsan (-fsanitize=undefined).
Command line: ./ffmpeg.ubsan -y -i ./input -c:v mpeg4 -c:a out.mp4
Output:
-----------------------------------------------------------------------------
{{{
ffmpeg version 4.2.2 Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 8.0.0-3~ubuntu18.04.2 (tags/RELEASE_800/final)
configuration: --cc=clang-8 --cxx=clang++-8 --ld=clang-8
libavutil 56. 31.100 / 56. 31.100
libavcodec 58. 54.100 / 58. 54.100
libavformat 58. 29.100 / 58. 29.100
libavdevice 58. 8.100 / 58. 8.100
libavfilter 7. 57.100 / 7. 57.100
libswscale 5. 5.100 / 5. 5.100
libswresample 3. 5.100 / 3. 5.100
Trailing options were found on the commandline.
[ea_cdata @ 0x902f600] Format ea_cdata detected only with low score of 12,
misdetection possible!
Ignoring attempt to set invalid timebase 1/0 for st:0
libavcodec/adpcm.c:1415:50: runtime error: left shift of negative value -2
libavcodec/adpcm.c:1411:55: runtime error: left shift of negative value -1
[ea_cdata @ 0x902f600] decoding for stream 0 failed
[ea_cdata @ 0x902f600] Could not find codec parameters for stream 0
(Audio: adpcm_ea_xas, 1 channels, s16p): unspecified sample rate
Consider increasing the value for the 'analyzeduration' and 'probesize'
options
Guessed Channel Layout for Input Stream #0.0 : mono
Input #0, ea_cdata, from
'./ffmpeg_ubsan_out/f1/crashes/id:000013,sig:04,src:001011+001703,time:2202546,op:splice,rep:16':
Duration: N/A, start: 0.000000, bitrate: N/A
Stream #0:0: Audio: adpcm_ea_xas, mono, s16p
At least one output file must be specified
}}}
Look at:
{{{
case AV_CODEC_ID_ADPCM_EA_XAS:
for (channel=0; channel<avctx->channels; channel++) {
...
val = sign_extend(bytestream2_get_le16u(&gb), 16);
shift[n] = 20 - (val & 0x0F);
...
}
for (m=2; m<32; m+=2) {
...
for (n = 0; n < 4; n++, s += 32) {
..
level = sign_extend(byte >> 4, 4) << shift[n]; //line
1415
...
}
}
}
}}}
This bug really does not make sense to me, val is controlled but the 0x0f
mask should prevent to have a negative shift[n] value.
UBSan has no false positives, so there is a bug indeed, but I don't
understand why.
Maybe there is something really bad with n indexes or some shady clang
optimization that assumed bad things.
I attach a file to reproduce the issue in base64:
{{{
BAAAAABQX0UvBf//Bf93/3wIAAAAKAAAABBFMDAAABAATjs0MP93/1NBVUNFKTBtTncIAAAAE15BVV9FLzAMRm7/d/93B+4AACgAAABiRTAlOzQwbU47NCBtTgA=
}}}
--
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8487#comment:2>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list