From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Subject: Re: [FFmpeg-devel] [PATCH 4/4] avcodec/bonk: Check for undefined overflow in predictor_calc_error()
Date: Sun, 6 Nov 2022 13:30:36 +0100
Message-ID: <20221106123036.GV1814017@pb2> (raw)
In-Reply-To: <CAPYw7P4Kt4iMDTWQDfwhHH_wPOzSBSe0Rie7JO3Hr-vYBH-PAg@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 2766 bytes --]
On Sun, Nov 06, 2022 at 09:50:47AM +0100, Paul B Mahol wrote:
> On 11/5/22, Michael Niedermayer <michael@niedermayer.cc> wrote:
> > Fixes: signed integer overflow: 22 * -2107998208 cannot be represented in
> > type 'int'
> > Fixes:
> > 51363/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-5660734784143360
> >
> > Found-by: continuous fuzzing process
> > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> > libavcodec/bonk.c | 11 +++++++++--
> > 1 file changed, 9 insertions(+), 2 deletions(-)
> >
> > diff --git a/libavcodec/bonk.c b/libavcodec/bonk.c
> > index 1695229dbd..40963aa7c6 100644
> > --- a/libavcodec/bonk.c
> > +++ b/libavcodec/bonk.c
> > @@ -278,10 +278,13 @@ static int predictor_calc_error(int *k, int *state,
> > int order, int error)
> > *state_ptr = &(state[order-2]);
> >
> > for (i = order-2; i >= 0; i--, k_ptr--, state_ptr--) {
> > - int k_value = *k_ptr, state_value = *state_ptr;
> > + int64_t k_value = *k_ptr, state_value = *state_ptr;
> >
> > x -= shift_down(k_value * state_value, LATTICE_SHIFT);
> > - state_ptr[1] = state_value + shift_down(k_value * x,
> > LATTICE_SHIFT);
> > + k_value *= x;
> > + if ((int32_t)k_value != k_value)
> > + return AVERROR_INVALIDDATA;
> > + state_ptr[1] = state_value + shift_down(k_value, LATTICE_SHIFT);
> > }
> >
> > // don't drift too far, to avoid overflows
> > @@ -366,6 +369,8 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame
> > *frame,
> > int64_t t64;
> > for (int j = 0; j < s->down_sampling - 1; j++) {
> > sample[0] = predictor_calc_error(s->k, state, s->n_taps,
> > 0);
> > + if (sample[0] == AVERROR_INVALIDDATA)
> > + return sample[0];
> > sample++;
> > }
> >
> > @@ -374,6 +379,8 @@ static int bonk_decode(AVCodecContext *avctx, AVFrame
> > *frame,
> > return AVERROR_INVALIDDATA;
> >
> > sample[0] = predictor_calc_error(s->k, state, s->n_taps, t64);
> > + if (sample[0] == AVERROR_INVALIDDATA)
> > + return sample[0];
> > sample++;
> > }
> >
> > --
> > 2.17.1
> >
>
>
> NAK,
>
> slowing things down by using int64_t
ill post some other solution, it seems slower indeed, i was hoping
gcc would produce smarter code
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Elect your leaders based on what they did after the last election, not
based on what they say before an election.
[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
[-- Attachment #2: Type: text/plain, Size: 251 bytes --]
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next prev parent reply other threads:[~2022-11-06 12:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-05 20:16 [FFmpeg-devel] [PATCH 1/4] avcodec/dts2pts_bsf: Check ctx for NULL before ff_cbs_flush() Michael Niedermayer
2022-11-05 20:16 ` [FFmpeg-devel] [PATCH 2/4] avcodec/bonk: decode multiple passes in intlist_read() at once Michael Niedermayer
2022-11-05 20:16 ` [FFmpeg-devel] [PATCH 3/4] avcodec/bonk: Check unquant for overflow Michael Niedermayer
2022-11-06 8:51 ` Paul B Mahol
2022-11-06 12:29 ` Michael Niedermayer
2022-11-05 20:16 ` [FFmpeg-devel] [PATCH 4/4] avcodec/bonk: Check for undefined overflow in predictor_calc_error() Michael Niedermayer
2022-11-06 8:50 ` Paul B Mahol
2022-11-06 12:30 ` Michael Niedermayer [this message]
2022-11-06 22:38 ` [FFmpeg-devel] [PATCH 1/4] avcodec/dts2pts_bsf: Check ctx for NULL before ff_cbs_flush() James Almer
2022-11-09 22:03 ` Michael Niedermayer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221106123036.GV1814017@pb2 \
--to=michael@niedermayer.cc \
--cc=ffmpeg-devel@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git