From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 79D8948E49 for ; Sun, 28 Apr 2024 21:57:36 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 03A4968D40A; Mon, 29 Apr 2024 00:57:33 +0300 (EEST) Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D0D9E68D3CD for ; Mon, 29 Apr 2024 00:57:26 +0300 (EEST) Received: by mail.gandi.net (Postfix) with ESMTPSA id 2E12E240002 for ; Sun, 28 Apr 2024 21:57:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=niedermayer.cc; s=gm1; t=1714341446; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=jD9TS7o4M2b5TDDsP41QyKhcnaC9YMJdqWQhHbv05V8=; b=YyvhnqKoOvHtTyjyVuZSgBXXniQEofkQV/0l3xJXF4S1uxqHIWj/SEGRJhj93lhqXF82ig g1Gwfbe52N2/n5MUSQl47Js+1a4uZg+Q6HNJTIIgqXI2AF4X6puz1mdnZ76xyWjGYA04Cs 9kPFH6DQFkvJBqygLyWUV5KCgfAQ5x80aFLgGRnDx5hKF6HlWkBKqqqowCCuBpmvUrHU1d fCrbbL081xsHUnAd5H1gfoTE6pjljBKkcY1fH8hTh2K+XxWvQvRN0AbbqlD5UMTZ5phzQH sOwyg/5ncLBg1QNJGBaGwsdK7yR7B9vvwI2GdJqNW0zodTunCTOkqgxOkwPpVA== Date: Sun, 28 Apr 2024 23:57:25 +0200 From: Michael Niedermayer To: FFmpeg development discussions and patches Message-ID: <20240428215725.GK6420@pb2> References: <20240428213052.3800493-1-michael@niedermayer.cc> <20240428213052.3800493-2-michael@niedermayer.cc> MIME-Version: 1.0 In-Reply-To: X-GND-Sasl: michael@niedermayer.cc Subject: Re: [FFmpeg-devel] [PATCH 2/5] avcodec/aaccoder: assert that escape case len is not causing issues X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: multipart/mixed; boundary="===============5651808895713622549==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: --===============5651808895713622549== Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="sV1KGd7pGe0AldhJ" Content-Disposition: inline --sV1KGd7pGe0AldhJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Apr 28, 2024 at 11:41:20PM +0200, Lynne wrote: > Apr 28, 2024, 23:31 by michael@niedermayer.cc: >=20 > > Inspired by CID1465483 Unintentional integer overflow > > > > Sponsored-by: Sovereign Tech Fund > > Signed-off-by: Michael Niedermayer > > --- > > libavcodec/aaccoder.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/libavcodec/aaccoder.c b/libavcodec/aaccoder.c > > index 4ce54ca8867..6e5817e237b 100644 > > --- a/libavcodec/aaccoder.c > > +++ b/libavcodec/aaccoder.c > > @@ -178,6 +178,8 @@ static av_always_inline float quantize_and_encode_b= and_cost_template( > > int coef =3D av_clip_uintp2(quant(fabsf(in[i+j]), Q, ROUNDING), 13); > > int len =3D av_log2(coef); > > =20 > > + av_assert2(len >=3D 4); > > + > > put_bits(pb, len - 4 + 1, (1 << (len - 4 + 1)) - 2); > > put_sbits(pb, len, coef); > > } > > >=20 > I'm not sure that's correct to do. Any specific cases where this happens? if len is 3 or less then put_bits will have a negative value or undefined shift coverity sasid this: " overflow_before_widen: Potentially overflowing expression 1 << len - 4 + = 1 with type int (32 bits, signed) is evaluated using 32-bit arithmetic, and= then used in a context that expects an expression of type BitBuf (64 bits,= unsigned). To avoid overflow, cast 1 to type BitBuf." So what coverity really said is that the expression could exeed 32bit _beca= use_ its used in 64bit context. Thats just stupid from coverity also teh clip above limits this to 13 bit so i dont see how it can overflow in the "too large" = direction and i marked this one as false positive. I wasnt 100% sure about the too small side, i tested it and its never too s= mall but coverity didnt claim it could be too small, so that question is outside= the issue So i added a assert in this patch. thx [...] --=20 Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Those who are too smart to engage in politics are punished by being governed by those who are dumber. -- Plato=20 --sV1KGd7pGe0AldhJ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABEKAB0WIQSf8hKLFH72cwut8TNhHseHBAsPqwUCZi7GQgAKCRBhHseHBAsP q2fgAKCNPwvKCihF9cdQF1nrgEKV9P2U1ACgiaDXdMlMI5ujEsuN2aLfo5SYLPs= =QHLC -----END PGP SIGNATURE----- --sV1KGd7pGe0AldhJ-- --===============5651808895713622549== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============5651808895713622549==--