From: Sean McGovern <gseanmcg@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Cc: Sean McGovern <sean@elysia.seanmcgovern.ca>
Subject: [FFmpeg-devel] [PATCH 0/1] fate-aac-encode-pred UBsan fix
Date: Sun, 25 Feb 2024 13:44:28 -0500
Message-ID: <20240225184429.2962707-1-gseanmcg@gmail.com> (raw)
From: Sean McGovern <sean@elysia.seanmcgovern.ca>
Hi FFmpeg-devel,
I've started looking into the results posted by the UBsan FATE node -- http://fate.ffmpeg.org/history.cgi?slot=x86_64-archlinux-gcc-ubsan
Here is the error reported by FATE (snipped for brevity) for 'fate-aac-encode-pred':
[aist#0:0/pcm_s16le @ 0x77fee40] Guessed Channel Layout: stereo
Input #0, wav, from '/srv/VIDEO/fate-suite/audio-reference/luckynight_2ch_44kHz_s16.wav':
Duration: 00:00:09.50, bitrate: 1411 kb/s
Stream #0:0: Audio: pcm_s16le ([1][0][0][0] / 0x0001), 44100 Hz, stereo, s16, 1411 kb/s
Stream mapping:
Stream #0:0 -> #0:0 (pcm_s16le (native) -> aac (native))
Output #0, adts, to '/home/sean/build/ffmpeg-ubsan/tests/data/fate/aac-pred-encode.adts':
Stream #0:0: Audio: aac (Main), 44100 Hz, stereo, fltp, 128 kb/s
Metadata:
encoder : Lavc aac
src/libavcodec/aacenc_pred.c:169:48: runtime error: index 41 out of bounds for type 'uint8_t [41]'
threads=8
Ignore the thread count, this fails the same when threads=1
Here is the loop it fails in -- for this test 'sfb == 49':
libavcodec/aacenc_pred.c:165: for (w = 0; w < sce0->ics.num_windows; w += sce0->ics.group_len[w]) {
libavcodec/aacenc_pred.c:166: start = 0;
libavcodec/aacenc_pred.c:167: for (g = 0; g < sce0->ics.num_swb; g++) {
libavcodec/aacenc_pred.c:168: int sfb = w*16+g;
libavcodec/aacenc_pred.c:169: int sum = sce0->ics.prediction_used[sfb] + sce1->ics.prediction_used[sfb];
...
Here is the array definition for prediction_used:
libavcodec/aac.h:188: uint8_t prediction_used[41];
Here is the line num_swb is set on:
libavcodec/aacenc.c:899: ics->num_swb = tag == TYPE_LFE ? ics->num_swb : s->psy.num_bands[ics->num_windows == 8];
(side note: interesting, I've never seen a boolean condition used an an array index before...)
My attached patch just uses FFMIN to ensure we don't navigate past the end of ics.prediction_used[]
It corrects the undefined behaviour, but it feels naïve.
Any thoughts?
Sean McGovern (1):
aacenc_pred: prevent UB in ff_aac_adjust_common_pred()
libavcodec/aacenc_pred.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--
2.39.2
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
next reply other threads:[~2024-02-25 18:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-25 18:44 Sean McGovern [this message]
2024-02-25 18:44 ` [FFmpeg-devel] [PATCH 1/1] aacenc_pred: prevent UB in ff_aac_adjust_common_pred() Sean McGovern
2024-02-27 18:39 ` Andreas Rheinhardt
2024-02-27 18:59 ` Sean McGovern
2024-03-05 4:51 ` [FFmpeg-devel] [PATCH] " Sean McGovern
2024-02-25 18:55 ` [FFmpeg-devel] [PATCH 0/1] fate-aac-encode-pred UBsan fix Sean McGovern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240225184429.2962707-1-gseanmcg@gmail.com \
--to=gseanmcg@gmail.com \
--cc=ffmpeg-devel@ffmpeg.org \
--cc=sean@elysia.seanmcgovern.ca \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git