From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 1ABEF4C034 for ; Tue, 7 Oct 2025 00:27:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1759796829; h=date : to : message-id : references : mime-version : in-reply-to : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : from; bh=X28hrY5+vUzmWWQTYKjnO7eDnqm4iUa0sM5+j3sYVDA=; b=KUnp+KFK/npYQw9h9ohAKPsoFdc+KHBkVl21Zgmyq9q/d9FUgBhHrSmaIcqEvT1ot0dSG SqQbR/leYiJeiHGtOcsWEw7/BOtcK66cihMLueaU5RMVcGPJG1dZLUfYY1JyfpW7nMXSjdl Zwi2LbMUuvdvZiduvF9RgSuPHPLneUtkYny5KS/4WUCktyLVMa0cx0BrMLqbRWPxrzXcarT 7B0khRd5L+4pit6XaYlNafiwK3mesJuomsmnJCWtIFnh09CvRzhLZIfEAEwuIMkIyh+AZTN vPKnhUWNSMPwCNpYM2t2mMvIGEHv59VFfauqVTQdo6o667cKjwXB1d0L2C+g== Received: from [172.18.0.2] (unknown [172.19.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 3A97268F071; Tue, 7 Oct 2025 03:27:09 +0300 (EEST) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1759796810; b=kjahBUICkP7t78AvRERL6NtEljqDuUzj4XoVZUUrsbX4rlMNQqXyUxPY8W8hV7zqcbRyH LRJ2ZY45OsIY4O0Qv/HM9xVvLDy4nU+A3CO1ey4RZh45rp0/nVMow7B/q+UO5YlcQY8B0C1 /4/tVrVR30zy+/IOIZc6JaeZHTSI/Q1AtcJMgq2FMH81mISuOfCnxHqyowyRdsgistLhnat 1cSwhMYAP50Qh0rLsI3GNC4VjLyjvB8TrkdwCYbE4j9bLtojeA4pjpNsX0USKf0GuFiIzlP S4OZnBKHQCfbBaBiPphtcVD1FrHvQ5odI4256Qc0rmWpTrLtf/o1IdwvPnMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1759796810; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=FyylvVNk1hgHnd2IKSCZ9/LhCvfkwa8dzRRAggJRa1A=; b=iTOyXOCjvw284U28oFrbO22x762zmVJpCl77fAdbYdPFzv5v6RHoDhNVThB+vBYeVlnXD muGNlkj1OANhiB/ACs734tTUhQdgSJtgz8Vni9fQwHQG/OI2wPPAcUDdi+CS9KUz4IJ4nC0 FNva5fGCuW+hxk12MnnitjMuYGhS2Q2IyPuVozh9BwQnfdflbXayHXtwXHad4l1c2dxLuB3 HCb3V8ENDnHluyRDFpYly9eahPq7P6aDO01s5aT3GqeNoD6BQkOgv70DgT/goSUCtXP9jj6 jorDGvRKo5efiWYyRcvepVl4UfCAxqudIen9tNI8bB2C5/3nUKCWLgldA8jA== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=fail; arc=none; dmarc=none Authentication-Results: ffmpeg.org; dkim=fail; arc=none (Message is not ARC signed); dmarc=none Received: from relay0.mail.gandi.net (relay0.mail.gandi.net [217.70.178.220]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id E057568EB8E for ; Tue, 7 Oct 2025 03:26:38 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id BDF93434CA for ; Tue, 7 Oct 2025 00:26:37 +0000 (UTC) Date: Tue, 7 Oct 2025 02:26:36 +0200 To: FFmpeg development discussions and patches Message-ID: References: MIME-Version: 1.0 In-Reply-To: Message-ID-Hash: K46ES2S33CKBRYD5NSSPOJPGMGIV3QBI X-Message-ID-Hash: K46ES2S33CKBRYD5NSSPOJPGMGIV3QBI X-MailFrom: SRS0=BdkH=4Q=niedermayer.cc=michael@ffmpeg.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] Re: =?iso-8859-1?q?=5BPATCH=5D=A0libavcodec/g723=5F1enc=3A?= Fix crash List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Michael Niedermayer via ffmpeg-devel Cc: Michael Niedermayer Content-Type: multipart/mixed; boundary="===============4838432700024341566==" Archived-At: List-Archive: List-Post: --===============4838432700024341566== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="km5/GR6zRyuDX3hY" Content-Disposition: inline --km5/GR6zRyuDX3hY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi On Fri, Oct 03, 2025 at 03:49:36PM +0000, Kovacs, Zsolt via ffmpeg-devel wr= ote: > Hi All, >=20 > We had crashes in prod while compressing audio with G.723.1 using ffmpeg = as a library. The callstack was: >=20 > fcb_search, line 1027 > ff_encode_encode_cb, line 253 > encode_simple_internal, line 339 > avcodec_send_frame, line 530 >=20 > After debugging the issue I found that the crash is caused by FCBParam op= tim; being uninitialized in fcb_search(). >=20 > The context of fcb_search(), line 1027 in libavcodec\g723_1enc.c: > /* Reconstruct the excitation */ > memset(buf, 0, sizeof(int16_t) * SUBFRAME_LEN); > for (i =3D 0; i < pulse_cnt; i++) > buf[optim.pulse_pos[i]] =3D optim.pulse_sign[i]; >=20 > The last line is 1027, the crash is caused by out of bounds indexing buf = with the values in optim.pulse_pos (pulse_cnt is either 5 or 6, and the siz= e of FCBParam::pulse_sign and pulse_pos is PULSE_MAX (6)). >=20 > The local variable optim is not initialized in fcb_search(). In get_fcb_p= aram() it's assigned at the end of the function in the /* Minimize */ part,= but only if (err < optim->min_err), where optim.min_err =3D 1 << 30;. err = is calculated above that in the /* Compute square of error */ part, by clam= ping a 64 bit int to 32 bits, so it can easily be larger than 1 << 30. If t= his happens in all the iterations in get_fcb_param(), then optim is not ini= tialized, and buf is indexed by an uninitialized variable, which caused the= crashes. >=20 > The fix is to initialize optim in fcb_search(). After we applied the patc= h to ffmpeg, the compressions did not crash anymore. >=20 > Note: this only fixes the crash by ensuring the indices are in the valid = range, it doesn't make them correct. can you share the testcase that causes this issue ? or test my pr here: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20658 which may fix this thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB The smallest minority on earth is the individual. Those who deny=20 individual rights cannot claim to be defenders of minorities. - Ayn Rand --km5/GR6zRyuDX3hY Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCaOReNAAKCRBhHseHBAsP qyq7AJ4mxFA+QToBOW3In3vzTyVFLgYVkwCfVydtitFmTnY2c409W09WgDpi8ZI= =yoUZ -----END PGP SIGNATURE----- --km5/GR6zRyuDX3hY-- --===============4838432700024341566== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org --===============4838432700024341566==--