[FFmpeg-devel] [PATCH 1/7] avcodec/mpc: Fix multiple numerical overflows in ff_mpc_dequantize_and_synth()

Sun May 10 22:32:12 EEST 2020

On Sun, May 10, 2020 at 09:20:13PM +0200, Michael Niedermayer wrote:
> This uses lrintf() which is not ideal as it still can raise an error
> but it is not undefined behavior. So a better solution should ideally be found
> 
> Fixes: -2.4187e+09 is outside the range of representable values of type 'int'
> Fixes: signed integer overflow: -14512205 + -2147483648 cannot be represented in type 'int'
> Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC7_fuzzer-5747263166480384
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavcodec/mpc.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)

Heres a more correct but slower solution:

From 74bdf7ac2ff3b72d8f31e43e41555205b9f1e37f Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael at niedermayer.cc>
Date: Sun, 10 May 2020 19:04:23 +0200
Subject: [PATCH] avcodec/mpc: Fix multiple numerical overflows in
 ff_mpc_dequantize_and_synth()

Fixes: -2.4187e+09 is outside the range of representable values of type 'int'
Fixes: signed integer overflow: -14512205 + -2147483648 cannot be represented in type 'int'
Fixes: 20492/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_MPC7_fuzzer-5747263166480384

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavcodec/mpc.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libavcodec/mpc.c b/libavcodec/mpc.c
index 6cf9b9d520..e56b608d8c 100644
--- a/libavcodec/mpc.c
+++ b/libavcodec/mpc.c
@@ -75,17 +75,17 @@ void ff_mpc_dequantize_and_synth(MPCContext * c, int maxband, int16_t **out,
                 j = 0;
                 mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][0] & 0xFF];
                 for(; j < 12; j++)
-                    c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off];
+                    c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX);
                 mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][1] & 0xFF];
                 for(; j < 24; j++)
-                    c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off];
+                    c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX);
                 mul = (mpc_CC+1)[bands[i].res[ch]] * mpc_SCF[bands[i].scf_idx[ch][2] & 0xFF];
                 for(; j < 36; j++)
-                    c->sb_samples[ch][j][i] = mul * c->Q[ch][j + off];
+                    c->sb_samples[ch][j][i] = av_clipf(mul * c->Q[ch][j + off], INT32_MIN, INT32_MAX);
             }
         }
         if(bands[i].msf){
-            int t1, t2;
+            unsigned t1, t2;
             for(j = 0; j < SAMPLES_PER_BAND; j++){
                 t1 = c->sb_samples[0][j][i];
                 t2 = c->sb_samples[1][j][i];
-- 
2.17.1



[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Rewriting code that is poorly written but fully understood is good.
Rewriting code that one doesnt understand is a sign that one is less smart
then the original author, trying to rewrite it will not make it better.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20200510/833f899e/attachment.sig>
