[FFmpeg-trac] #8593(avformat:new): UBSan: signed integer overflow

FFmpeg trac at avcodec.org
Tue Mar 31 19:12:37 EEST 2020


#8593: UBSan: signed integer overflow
-------------------------------------+-------------------------------------
             Reporter:               |                     Type:  defect
  andreafioraldi                     |
               Status:  new          |                 Priority:  normal
            Component:  avformat     |                  Version:  git-
                                     |  master
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Summary of the bug:

 This multiplication at line 593 of wavdec.c causes an overflow:

 st->codecpar->block_align *= st->codecpar->channels;

 How to reproduce:
 {{{
 % ffmpeg -i id:000157,sig:04,src:000055,time:3158020,op:MOpt_havoc,rep:128
 out.mp3
 ffmpeg version N-97118-gfa164bc50e Copyright (c) 2000-2020 the FFmpeg
 developers
   built with clang version 10.0.0
 (git at github.com:andreafioraldi/ConstrainedMemorySanitizer.git
 5b365c37a959d429121850f6d91ed160d4cdf76f)
   configuration: --cc=clang-10 --cxx=clang++-10
   libavutil      56. 42.102 / 56. 42.102
   libavcodec     58. 77.101 / 58. 77.101
   libavformat    58. 42.100 / 58. 42.100
   libavdevice    58.  9.103 / 58.  9.103
   libavfilter     7. 77.101 /  7. 77.101
   libswscale      5.  6.101 /  5.  6.101
   libswresample   3.  6.100 /  3.  6.100
 libavformat/wavdec.c:593:35: runtime error: signed integer overflow: 65035
 * 65281 cannot be represented in type 'int'
 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
 libavformat/wavdec.c:593:35 in
 [NULL @ 0x619000000580] Too many or invalid channels: 65281
 [wav @ 0x61b000000080] Failed to open codec in avformat_find_stream_info
 [NULL @ 0x619000000580] Too many or invalid channels: 65281
 [wav @ 0x61b000000080] Packet corrupt (stream = 0, dts = NOPTS).
 Input #0, wav, from
 'output/a1/crashes/id:000157,sig:04,src:000055,time:3158020,op:MOpt_havoc,rep:128':
   Duration: 00:00:00.98, bitrate: 48 kb/s
     Stream #0:0: Audio: adpcm_ms ([2][0][0][0] / 0x0002), 11246 Hz, 65281
 channels, 2936600 kb/s
 Automatic encoder selection failed for output stream #0:0. Default encoder
 for format mp3 (codec mp3) is probably disabled. Please choose an encoder
 manually.
 Error selecting an encoder for stream 0:0

 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8593>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list