[FFmpeg-trac] #11346(avcodec:new): signed integer overflow in libavformat/demux.c

FFmpeg trac at avcodec.org
Fri Dec 13 12:47:05 EET 2024 

#11346: signed integer overflow in libavformat/demux.c
-------------------------------------+-------------------------------------
             Reporter:  skorpion98   |                    Owner:  (none)
                 Type:  defect       |                   Status:  new
             Priority:  normal       |                Component:  avcodec
              Version:  git-master   |               Resolution:
             Keywords:  ubsan,       |               Blocked By:
  overflow                           |
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
Description changed by skorpion98:

Old description:

> **Summary of the bug**: Signed integer overflow in
> libavformat/demux.c:804
>
> **How to reproduce**:
> In the attached archive you will find:
> * the executable on which we performed our tests, a compiled version of
> the `ffmpeg_DEMUXER_fuzzer` fuzzing harness you made
> * a directory `bug` containing the input that caused the aforementioned
> bug and its UBSan log
>
> To reproduce the errors, simply run the given binary with the testcase
> files with a command like:
> `./ffmpeg_DEMUXER_fuzzer /path_to_testcases/input`.
>
> The program has been tested on the standard Docker image provided on OSS-
> Fuzz using Ubuntu 20.04, using AFL++ as fuzzing engine and the standard
> sanitizers flags used by OSS-Fuzz for ASan and UBSan.
>
> The hash commit used to perform the tests is `eb79c31`.
>
> **UBSan output**:
>
> {{{
> Reading 8517 bytes from /bugs/ffmpeg/signed_integer_overflow_avformat_01
> libavformat/demux.c:804:36: runtime error: signed integer overflow:
> -9223371749632982144 - 1907869387765793664 cannot be represented in type
> 'int64_t' (aka 'long')
> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
> libavformat/demux.c:804:36
> }}}

New description:

 **Summary of the bug**: Signed integer overflow in libavformat/demux.c:804

 **How to reproduce**:
 In the archive uploaded to the "VideoLAN File Uploader" you will find:
 * the executable on which we performed our tests, a compiled version of
 the `ffmpeg_DEMUXER_fuzzer` fuzzing harness you made
 * a directory `bug` containing the input that caused the aforementioned
 bug and its UBSan log

 To reproduce the errors, simply run the given binary with the testcase
 files with a command like:
 `./ffmpeg_DEMUXER_fuzzer /path_to_testcases/input`.

 The program has been tested on the standard Docker image provided on OSS-
 Fuzz using Ubuntu 20.04, using AFL++ as fuzzing engine and the standard
 sanitizers flags used by OSS-Fuzz for ASan and UBSan.

 The hash commit used to perform the tests is `eb79c31`.

 **UBSan output**:

 {{{
 Reading 8517 bytes from /bugs/ffmpeg/signed_integer_overflow_avformat_01
 libavformat/demux.c:804:36: runtime error: signed integer overflow:
 -9223371749632982144 - 1907869387765793664 cannot be represented in type
 'int64_t' (aka 'long')
 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
 libavformat/demux.c:804:36
 }}}

--
-- 
Ticket URL: <https://trac.ffmpeg.org/ticket/11346#comment:1>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list