[FFmpeg-devel] [PATCH] libswresample: Prevent out of bounds.

[FFmpeg-devel] [PATCH] libswresample: Prevent out of bounds.

[kobrineli]

From: Eli Kobrin <kobrineli@ispras.ru>

We've been fuzzing torchvision with [sydr-fuzz](https://github.com/ispras/oss-sydr-fuzz)
and found out of bounds error in ffmpeg project at audioconvert.c:151.
To prevent error we need to fix checks for in and out fmt in swr_init.

Signed-off-by: Eli Kobrin <kobrineli@ispras.ru>
---
 libswresample/swresample.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libswresample/swresample.c b/libswresample/swresample.c
index 6dc329a9d0..fb3d7bccbf 100644
--- a/libswresample/swresample.c
+++ b/libswresample/swresample.c
@@ -196,11 +196,11 @@ av_cold int swr_init(struct SwrContext *s){
 
     clear_context(s);
 
-    if(s-> in_sample_fmt >= AV_SAMPLE_FMT_NB){
+    if((unsigned) s-> in_sample_fmt >= AV_SAMPLE_FMT_NB){
         av_log(s, AV_LOG_ERROR, "Requested input sample format %d is invalid\n", s->in_sample_fmt);
         return AVERROR(EINVAL);
     }
-    if(s->out_sample_fmt >= AV_SAMPLE_FMT_NB){
+    if((unsigned) s->out_sample_fmt >= AV_SAMPLE_FMT_NB){
         av_log(s, AV_LOG_ERROR, "Requested output sample format %d is invalid\n", s->out_sample_fmt);
         return AVERROR(EINVAL);
     }
-- 
2.25.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH] libswresample: Prevent out of bounds.

[Michael Niedermayer]

[-- Attachment #1.1: Type: text/plain, Size: 754 bytes --]

On Wed, Aug 02, 2023 at 03:14:10PM +0300, kobrineli wrote:
> From: Eli Kobrin <kobrineli@ispras.ru>
> 
> We've been fuzzing torchvision with [sydr-fuzz](https://github.com/ispras/oss-sydr-fuzz)
> and found out of bounds error in ffmpeg project at audioconvert.c:151.
> To prevent error we need to fix checks for in and out fmt in swr_init.
> 
> Signed-off-by: Eli Kobrin <kobrineli@ispras.ru>
> ---
>  libswresample/swresample.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

will apply

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Dictatorship naturally arises out of democracy, and the most aggravated
form of tyranny and slavery out of the most extreme liberty. -- Plato

[-- Attachment #1.2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[-- Attachment #2: Type: text/plain, Size: 251 bytes --]

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH] libswresample: Prevent out of bounds.

[kobrineli]

Resubmitted, thanks

On 2023-08-02 15:06, Ronald S. Bultje wrote:
> Hi,
> 
> On Wed, Aug 2, 2023 at 7:31 AM kobrineli <kobrineli@ispras.ru> wrote:
> 
>> From: Eli Kobrin <kobrineli@ispras.ru>
>> 
>> We've been fuzzing torchvision with [sydr-fuzz](
>> https://github.com/ispras/oss-sydr-fuzz)
>> and found out of bounds error in ffmpeg project at audioconvert.c:51.
>> To prevent error we need to insert corresponding check and fix checks
>> for in and out fmt in swr_init.
>> 
>> Signed-off-by: Eli Kobrin <kobrineli@ispras.ru>
>> ---
>>  libswresample/audioconvert.c | 7 ++++++-
>>  libswresample/swresample.c   | 4 ++--
>>  2 files changed, 8 insertions(+), 3 deletions(-)
>> 
>> diff --git a/libswresample/audioconvert.c 
>> b/libswresample/audioconvert.c
>> index 1d75ba1495..701f4808a0 100644
>> --- a/libswresample/audioconvert.c
>> +++ b/libswresample/audioconvert.c
>> @@ -148,7 +148,12 @@ AudioConvert *swri_audio_convert_alloc(enum
>> AVSampleFormat out_fmt,
>>                                         int flags)
>>  {
>>      AudioConvert *ctx;
>> -    conv_func_type *f =
>> fmt_pair_to_conv_functions[av_get_packed_sample_fmt(out_fmt) +
>> AV_SAMPLE_FMT_NB*av_get_packed_sample_fmt(in_fmt)];
>> +
>> +    size_t idx = av_get_packed_sample_fmt(out_fmt) + AV_SAMPLE_FMT_NB 
>> *
>> av_get_packed_sample_fmt(in_fmt);
>> +    if (idx >= AV_SAMPLE_FMT_NB * AV_SAMPLE_FMT_NB)
>> +        return NULL;
>> +
>> +    conv_func_type *f = fmt_pair_to_conv_functions[idx];
>> 
> 
> This is not necessary anymore, please remove this portion.
> 
> 
>> diff --git a/libswresample/swresample.c b/libswresample/swresample.c
>> index 6dc329a9d0..b7cab36710 100644
>> --- a/libswresample/swresample.c
>> +++ b/libswresample/swresample.c
>> @@ -196,11 +196,11 @@ av_cold int swr_init(struct SwrContext *s){
>> 
>>      clear_context(s);
>> 
>> -    if(s-> in_sample_fmt >= AV_SAMPLE_FMT_NB){
>> +    if(s-> in_sample_fmt >= AV_SAMPLE_FMT_NB || s-> in_sample_fmt < 
>> 0){
>>          av_log(s, AV_LOG_ERROR, "Requested input sample format %d is
>> invalid\n", s->in_sample_fmt);
>>          return AVERROR(EINVAL);
>>      }
>> -    if(s->out_sample_fmt >= AV_SAMPLE_FMT_NB){
>> +    if(s->out_sample_fmt >= AV_SAMPLE_FMT_NB || s->out_sample_fmt < 
>> 0){
>>          av_log(s, AV_LOG_ERROR, "Requested output sample format %d is
>> invalid\n", s->out_sample_fmt);
>>          return AVERROR(EINVAL);
>>      }
>> --
>> 2.25.1
>> 
> 
> You can simplify this to "if ((unsigned) s->in/out_sample_fmt >=
> AV_SAMPLE_FMT_NB)".
> 
> Ronald
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH] libswresample: Prevent out of bounds.

[Ronald S. Bultje]

Hi,

On Wed, Aug 2, 2023 at 7:31 AM kobrineli <kobrineli@ispras.ru> wrote:

> From: Eli Kobrin <kobrineli@ispras.ru>
>
> We've been fuzzing torchvision with [sydr-fuzz](
> https://github.com/ispras/oss-sydr-fuzz)
> and found out of bounds error in ffmpeg project at audioconvert.c:51.
> To prevent error we need to insert corresponding check and fix checks
> for in and out fmt in swr_init.
>
> Signed-off-by: Eli Kobrin <kobrineli@ispras.ru>
> ---
>  libswresample/audioconvert.c | 7 ++++++-
>  libswresample/swresample.c   | 4 ++--
>  2 files changed, 8 insertions(+), 3 deletions(-)
>
> diff --git a/libswresample/audioconvert.c b/libswresample/audioconvert.c
> index 1d75ba1495..701f4808a0 100644
> --- a/libswresample/audioconvert.c
> +++ b/libswresample/audioconvert.c
> @@ -148,7 +148,12 @@ AudioConvert *swri_audio_convert_alloc(enum
> AVSampleFormat out_fmt,
>                                         int flags)
>  {
>      AudioConvert *ctx;
> -    conv_func_type *f =
> fmt_pair_to_conv_functions[av_get_packed_sample_fmt(out_fmt) +
> AV_SAMPLE_FMT_NB*av_get_packed_sample_fmt(in_fmt)];
> +
> +    size_t idx = av_get_packed_sample_fmt(out_fmt) + AV_SAMPLE_FMT_NB *
> av_get_packed_sample_fmt(in_fmt);
> +    if (idx >= AV_SAMPLE_FMT_NB * AV_SAMPLE_FMT_NB)
> +        return NULL;
> +
> +    conv_func_type *f = fmt_pair_to_conv_functions[idx];
>

This is not necessary anymore, please remove this portion.


> diff --git a/libswresample/swresample.c b/libswresample/swresample.c
> index 6dc329a9d0..b7cab36710 100644
> --- a/libswresample/swresample.c
> +++ b/libswresample/swresample.c
> @@ -196,11 +196,11 @@ av_cold int swr_init(struct SwrContext *s){
>
>      clear_context(s);
>
> -    if(s-> in_sample_fmt >= AV_SAMPLE_FMT_NB){
> +    if(s-> in_sample_fmt >= AV_SAMPLE_FMT_NB || s-> in_sample_fmt < 0){
>          av_log(s, AV_LOG_ERROR, "Requested input sample format %d is
> invalid\n", s->in_sample_fmt);
>          return AVERROR(EINVAL);
>      }
> -    if(s->out_sample_fmt >= AV_SAMPLE_FMT_NB){
> +    if(s->out_sample_fmt >= AV_SAMPLE_FMT_NB || s->out_sample_fmt < 0){
>          av_log(s, AV_LOG_ERROR, "Requested output sample format %d is
> invalid\n", s->out_sample_fmt);
>          return AVERROR(EINVAL);
>      }
> --
> 2.25.1
>

You can simplify this to "if ((unsigned) s->in/out_sample_fmt >=
AV_SAMPLE_FMT_NB)".

Ronald
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH] libswresample: Prevent out of bounds.

[kobrineli]

Resubmitted the patch 
(https://patchwork.ffmpeg.org/project/ffmpeg/patch/20230802113106.1138555-1-kobrineli@ispras.ru/).
Didn't understand how to fix the existing patch.

On 2023-08-02 13:51, Andreas Rheinhardt wrote:
> kobrineli:
>> From: Eli Kobrin <kobrineli@ispras.ru>
>> 
>> We've been fuzzing torchvision with 
>> [sydr-fuzz](https://github.com/ispras/oss-sydr-fuzz)
>> and found out of bounds error in ffmpeg project at audioconvert.c:51.
>> To prevent error we need to insert corresponding check.
>> 
>> Signed-off-by: Eli Kobrin <kobrineli@ispras.ru>
>> ---
>>  libswresample/audioconvert.c | 7 ++++++-
>>  1 file changed, 6 insertions(+), 1 deletion(-)
>> 
>> diff --git a/libswresample/audioconvert.c 
>> b/libswresample/audioconvert.c
>> index 1d75ba1495..701f4808a0 100644
>> --- a/libswresample/audioconvert.c
>> +++ b/libswresample/audioconvert.c
>> @@ -148,7 +148,12 @@ AudioConvert *swri_audio_convert_alloc(enum 
>> AVSampleFormat out_fmt,
>>                                         int flags)
>>  {
>>      AudioConvert *ctx;
>> -    conv_func_type *f = 
>> fmt_pair_to_conv_functions[av_get_packed_sample_fmt(out_fmt) + 
>> AV_SAMPLE_FMT_NB*av_get_packed_sample_fmt(in_fmt)];
>> +
>> +    size_t idx = av_get_packed_sample_fmt(out_fmt) + AV_SAMPLE_FMT_NB 
>> * av_get_packed_sample_fmt(in_fmt);
>> +    if (idx >= AV_SAMPLE_FMT_NB * AV_SAMPLE_FMT_NB)
>> +        return NULL;
>> +
>> +    conv_func_type *f = fmt_pair_to_conv_functions[idx];
>> 
>>      if (!f)
>>          return NULL;
> 
> Something seems to be using an invalid sample format (either out_fmt or
> in_fmt). You should investigate where this comes from.
> (Given that this is a public function, we should probably validate user
> input; and maybe stop using AV_SAMPLE_FMT_NB altogether.)
> 
> - Andreas
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH] libswresample: Prevent out of bounds.

[kobrineli]

From: Eli Kobrin <kobrineli@ispras.ru>

We've been fuzzing torchvision with [sydr-fuzz](https://github.com/ispras/oss-sydr-fuzz)
and found out of bounds error in ffmpeg project at audioconvert.c:51.
To prevent error we need to insert corresponding check and fix checks
for in and out fmt in swr_init.

Signed-off-by: Eli Kobrin <kobrineli@ispras.ru>
---
 libswresample/audioconvert.c | 7 ++++++-
 libswresample/swresample.c   | 4 ++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/libswresample/audioconvert.c b/libswresample/audioconvert.c
index 1d75ba1495..701f4808a0 100644
--- a/libswresample/audioconvert.c
+++ b/libswresample/audioconvert.c
@@ -148,7 +148,12 @@ AudioConvert *swri_audio_convert_alloc(enum AVSampleFormat out_fmt,
                                        int flags)
 {
     AudioConvert *ctx;
-    conv_func_type *f = fmt_pair_to_conv_functions[av_get_packed_sample_fmt(out_fmt) + AV_SAMPLE_FMT_NB*av_get_packed_sample_fmt(in_fmt)];
+
+    size_t idx = av_get_packed_sample_fmt(out_fmt) + AV_SAMPLE_FMT_NB * av_get_packed_sample_fmt(in_fmt);
+    if (idx >= AV_SAMPLE_FMT_NB * AV_SAMPLE_FMT_NB)
+        return NULL;
+
+    conv_func_type *f = fmt_pair_to_conv_functions[idx];
 
     if (!f)
         return NULL;
diff --git a/libswresample/swresample.c b/libswresample/swresample.c
index 6dc329a9d0..b7cab36710 100644
--- a/libswresample/swresample.c
+++ b/libswresample/swresample.c
@@ -196,11 +196,11 @@ av_cold int swr_init(struct SwrContext *s){
 
     clear_context(s);
 
-    if(s-> in_sample_fmt >= AV_SAMPLE_FMT_NB){
+    if(s-> in_sample_fmt >= AV_SAMPLE_FMT_NB || s-> in_sample_fmt < 0){
         av_log(s, AV_LOG_ERROR, "Requested input sample format %d is invalid\n", s->in_sample_fmt);
         return AVERROR(EINVAL);
     }
-    if(s->out_sample_fmt >= AV_SAMPLE_FMT_NB){
+    if(s->out_sample_fmt >= AV_SAMPLE_FMT_NB || s->out_sample_fmt < 0){
         av_log(s, AV_LOG_ERROR, "Requested output sample format %d is invalid\n", s->out_sample_fmt);
         return AVERROR(EINVAL);
     }
-- 
2.25.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH] libswresample: Prevent out of bounds.

[kobrineli]

I've found out that `in_fmt` is equal to -1 at the place of error, so we 
just need to insert check at the beginning of `swr_init` function to 
check fmts positivity.

On 2023-08-02 13:51, Andreas Rheinhardt wrote:

> kobrineli:
> 
>> From: Eli Kobrin <kobrineli@ispras.ru>
>> 
>> We've been fuzzing torchvision with 
>> [sydr-fuzz](https://github.com/ispras/oss-sydr-fuzz)
>> and found out of bounds error in ffmpeg project at audioconvert.c:51.
>> To prevent error we need to insert corresponding check.
>> 
>> Signed-off-by: Eli Kobrin <kobrineli@ispras.ru>
>> ---
>> libswresample/audioconvert.c | 7 ++++++-
>> 1 file changed, 6 insertions(+), 1 deletion(-)
>> 
>> diff --git a/libswresample/audioconvert.c 
>> b/libswresample/audioconvert.c
>> index 1d75ba1495..701f4808a0 100644
>> --- a/libswresample/audioconvert.c
>> +++ b/libswresample/audioconvert.c
>> @@ -148,7 +148,12 @@ AudioConvert *swri_audio_convert_alloc(enum 
>> AVSampleFormat out_fmt,
>> int flags)
>> {
>> AudioConvert *ctx;
>> -    conv_func_type *f = 
>> fmt_pair_to_conv_functions[av_get_packed_sample_fmt(out_fmt) + 
>> AV_SAMPLE_FMT_NB*av_get_packed_sample_fmt(in_fmt)];
>> +
>> +    size_t idx = av_get_packed_sample_fmt(out_fmt) + AV_SAMPLE_FMT_NB 
>> * av_get_packed_sample_fmt(in_fmt);
>> +    if (idx >= AV_SAMPLE_FMT_NB * AV_SAMPLE_FMT_NB)
>> +        return NULL;
>> +
>> +    conv_func_type *f = fmt_pair_to_conv_functions[idx];
>> 
>> if (!f)
>> return NULL;
> 
> Something seems to be using an invalid sample format (either out_fmt or
> in_fmt). You should investigate where this comes from.
> (Given that this is a public function, we should probably validate user
> input; and maybe stop using AV_SAMPLE_FMT_NB altogether.)
> 
> - Andreas
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH] libswresample: Prevent out of bounds.

[kobrineli]

Invalid out or int fmts are got from the user input, which was 
discovered through fuzzing. Don't know where to add check at the time of 
SwrContext creating, but I think this change is redundant to at least 
prevent dangerous out of bounds access, which set the pointer to illegal 
address.

On 2023-08-02 13:51, Andreas Rheinhardt wrote:
> kobrineli:
>> From: Eli Kobrin <kobrineli@ispras.ru>
>> 
>> We've been fuzzing torchvision with 
>> [sydr-fuzz](https://github.com/ispras/oss-sydr-fuzz)
>> and found out of bounds error in ffmpeg project at audioconvert.c:51.
>> To prevent error we need to insert corresponding check.
>> 
>> Signed-off-by: Eli Kobrin <kobrineli@ispras.ru>
>> ---
>>  libswresample/audioconvert.c | 7 ++++++-
>>  1 file changed, 6 insertions(+), 1 deletion(-)
>> 
>> diff --git a/libswresample/audioconvert.c 
>> b/libswresample/audioconvert.c
>> index 1d75ba1495..701f4808a0 100644
>> --- a/libswresample/audioconvert.c
>> +++ b/libswresample/audioconvert.c
>> @@ -148,7 +148,12 @@ AudioConvert *swri_audio_convert_alloc(enum 
>> AVSampleFormat out_fmt,
>>                                         int flags)
>>  {
>>      AudioConvert *ctx;
>> -    conv_func_type *f = 
>> fmt_pair_to_conv_functions[av_get_packed_sample_fmt(out_fmt) + 
>> AV_SAMPLE_FMT_NB*av_get_packed_sample_fmt(in_fmt)];
>> +
>> +    size_t idx = av_get_packed_sample_fmt(out_fmt) + AV_SAMPLE_FMT_NB 
>> * av_get_packed_sample_fmt(in_fmt);
>> +    if (idx >= AV_SAMPLE_FMT_NB * AV_SAMPLE_FMT_NB)
>> +        return NULL;
>> +
>> +    conv_func_type *f = fmt_pair_to_conv_functions[idx];
>> 
>>      if (!f)
>>          return NULL;
> 
> Something seems to be using an invalid sample format (either out_fmt or
> in_fmt). You should investigate where this comes from.
> (Given that this is a public function, we should probably validate user
> input; and maybe stop using AV_SAMPLE_FMT_NB altogether.)
> 
> - Andreas
> 
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

Re: [FFmpeg-devel] [PATCH] libswresample: Prevent out of bounds.

[Andreas Rheinhardt]

kobrineli:
> From: Eli Kobrin <kobrineli@ispras.ru>
> 
> We've been fuzzing torchvision with [sydr-fuzz](https://github.com/ispras/oss-sydr-fuzz)
> and found out of bounds error in ffmpeg project at audioconvert.c:51.
> To prevent error we need to insert corresponding check.
> 
> Signed-off-by: Eli Kobrin <kobrineli@ispras.ru>
> ---
>  libswresample/audioconvert.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/libswresample/audioconvert.c b/libswresample/audioconvert.c
> index 1d75ba1495..701f4808a0 100644
> --- a/libswresample/audioconvert.c
> +++ b/libswresample/audioconvert.c
> @@ -148,7 +148,12 @@ AudioConvert *swri_audio_convert_alloc(enum AVSampleFormat out_fmt,
>                                         int flags)
>  {
>      AudioConvert *ctx;
> -    conv_func_type *f = fmt_pair_to_conv_functions[av_get_packed_sample_fmt(out_fmt) + AV_SAMPLE_FMT_NB*av_get_packed_sample_fmt(in_fmt)];
> +
> +    size_t idx = av_get_packed_sample_fmt(out_fmt) + AV_SAMPLE_FMT_NB * av_get_packed_sample_fmt(in_fmt);
> +    if (idx >= AV_SAMPLE_FMT_NB * AV_SAMPLE_FMT_NB)
> +        return NULL;
> +
> +    conv_func_type *f = fmt_pair_to_conv_functions[idx];
>  
>      if (!f)
>          return NULL;

Something seems to be using an invalid sample format (either out_fmt or
in_fmt). You should investigate where this comes from.
(Given that this is a public function, we should probably validate user
input; and maybe stop using AV_SAMPLE_FMT_NB altogether.)

- Andreas

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH] libswresample: Prevent out of bounds.

[kobrineli]

From: Eli Kobrin <kobrineli@ispras.ru>

We've been fuzzing torchvision with [sydr-fuzz](https://github.com/ispras/oss-sydr-fuzz)
and found out of bounds error in ffmpeg project at audioconvert.c:51.
To prevent error we need to insert corresponding check.

Signed-off-by: Eli Kobrin <kobrineli@ispras.ru>
---
 libswresample/audioconvert.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libswresample/audioconvert.c b/libswresample/audioconvert.c
index 1d75ba1495..701f4808a0 100644
--- a/libswresample/audioconvert.c
+++ b/libswresample/audioconvert.c
@@ -148,7 +148,12 @@ AudioConvert *swri_audio_convert_alloc(enum AVSampleFormat out_fmt,
                                        int flags)
 {
     AudioConvert *ctx;
-    conv_func_type *f = fmt_pair_to_conv_functions[av_get_packed_sample_fmt(out_fmt) + AV_SAMPLE_FMT_NB*av_get_packed_sample_fmt(in_fmt)];
+
+    size_t idx = av_get_packed_sample_fmt(out_fmt) + AV_SAMPLE_FMT_NB * av_get_packed_sample_fmt(in_fmt);
+    if (idx >= AV_SAMPLE_FMT_NB * AV_SAMPLE_FMT_NB)
+        return NULL;
+
+    conv_func_type *f = fmt_pair_to_conv_functions[idx];
 
     if (!f)
         return NULL;
-- 
2.25.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".