From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 355FF46FF5 for ; Mon, 25 Sep 2023 11:30:07 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A0A1668C951; Mon, 25 Sep 2023 14:30:04 +0300 (EEST) Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01olkn2083.outbound.protection.outlook.com [40.92.64.83]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3E9E868C704 for ; Mon, 25 Sep 2023 14:29:58 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=As5fXBdpjQsaBaEoRceaJlRDrG/RiJ56SJxqqeYKYYvxj8tu3g7opY8DjmVsEllIYrALQ1Op0GrBEx4gTbHTqGTVFrzl6qwKbY/gU/ceqj8130dqrz2hrYWxqY5WwszvUnl4QNaeJ/xiUJb64xIqYSr/g3hK9g6oSSFRPBeWeQoX/KqQNHcGdGcCOv+2fErh9pcpiLwbFf0LgWlvpU9GVfYBzIazWNj6GIS+4JdoMTG5s0nnQfQXpqUmAgEn6CZjChciPaj3LbTJRCV2a7aDcdDDPPN1ZBrK52EGegYvMmLt41LRwc0gsojxdoO7+FTChRK1YI2M0LJVfggUc+MECw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ty7WrjXAaFfaxbb8Gancl+QpX7knMYNn1PKVNsxwIiY=; b=brtgZSlPWcEpQbtldhW+cYXsYv9IrBFVs79CnnpvLKG94oV4sjyb9FpngrlA+AxjlGZXOwlXHshDJPqR+cdUUaFnPJOAqCEh/mV+AGWrZeUi9oeenqY9qsfKt9sJtRpUKHcog6SWdrn9VK6GPH1VuCnl5VAvz0ZYTS5TEdzOIYmxMBTyV2QZHB8vKn7v9ZefIuq59fJGyq3RBxZ8MBCmu/YsIsjw2T8BhBwmRfQFhC0AvHSwoOZMP4DXnYjFKJdKzZ8dn9wkuoJinDmfhSpeeBSzAhdLLiUSIoONCL+3IVSINyKo0Ct2w/6sOIBq0vm0iB+ZaWWrcDrnWxJMy8QRGA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ty7WrjXAaFfaxbb8Gancl+QpX7knMYNn1PKVNsxwIiY=; b=Xw8xYcLFLhKxCgCWFDdi558eLCirjMeXsweGibbWK3YjeMUWy8wOuqSoWN5fR0eIyLv/IalEGsf1/54eO7o79lmSWHOEoItZKyL9lK5ORir7cA59jI4xUdcauoju7CF4zfBcdbBEYEOW+jyKxzSarxzmBrGRMn4d07siWaydd5vk7zXoH9fVec8Zztm1U3+V7Vs5nrt8FtLXQJ5Z0uLaGkff00VsvePvMPBzjA41JMDTUYdDjz+0/NrDzHWLMuteJafd2RAajqzSI6Xc7I1fozB8DmZcaga8fJvUrBpwWoiopJgarIc5KJyqxNcV/BGrlj9v8aMY+g/CJhcvFIV8Vg== Received: from AS8P250MB0744.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:541::14) by AM8P250MB0245.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:328::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.28; Mon, 25 Sep 2023 11:29:57 +0000 Received: from AS8P250MB0744.EURP250.PROD.OUTLOOK.COM ([fe80::5e01:aea5:d3a8:cafa]) by AS8P250MB0744.EURP250.PROD.OUTLOOK.COM ([fe80::5e01:aea5:d3a8:cafa%3]) with mapi id 15.20.6792.026; Mon, 25 Sep 2023 11:29:57 +0000 Message-ID: Date: Mon, 25 Sep 2023 13:31:11 +0200 To: ffmpeg-devel@ffmpeg.org References: <20230925112737.4039135-1-mezhuevtp@ispras.ru> Content-Language: en-US From: Andreas Rheinhardt In-Reply-To: <20230925112737.4039135-1-mezhuevtp@ispras.ru> X-TMN: [F2TH825uA4qW8x4E4m2PQOYFfDoh+Qnj] X-ClientProxiedBy: ZR0P278CA0073.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:22::6) To AS8P250MB0744.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:541::14) X-Microsoft-Original-Message-ID: <926c0f23-2ba5-c9d6-718e-61db6e2eb94f@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS8P250MB0744:EE_|AM8P250MB0245:EE_ X-MS-Office365-Filtering-Correlation-Id: f9159016-ee6c-47f9-2196-08dbbdbabee0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: LyZW0bxoGDDk+GsJ4XKNpHGjN1dUOGoKwq5WIBG55ak6W8GocPbTFW08HYDneaC95PmsA054XR137fuqxWvGBgaa+FnAyB9OfxPDtcGhvkiKHHZMsNrxDN7noO4RdpSDX0kg5KJLttUrQIfCE2WeluVG/xiY8QzWKsW9RJA9aRYJzn86hpZ1++EPUNv2NbAc16LwJVKWUx0Bn6I5m+TR5uTgHIRB0oDM3jVsUKBiz/hC2z8vyW+/bHJta9BCECJh6OSJC82HFSmwbOlnrKRmOBIC4B/jOMt2CIE7X9w9JUu7Mlh0W5p14hl7lm+d2AJW4vLvzwMSDQziszR+3uVCLblK7cpVP7aH5+gO64RSZmTzyc4+TS7DbYfahcfpLQURLvXH/J0inFGQt1JKh7hX0CE60HAnrrOSxlMbstPaAXgWdov+guz0t08lOWktbzSAnB0ZZvM7XiZCAq07fMakj70pP0Z14QcZAaLt9xWYos6DrxJ+SVSxxVxeLboSfsJW6bmkCHX9ySokhh0rqEqyg8WUiMNc3z9anKXTA3nt8R2T5rpmIsWIN6yzmYRws4xUKjio9E+1RpEefbvGk+fvKVvR3hoSCwIt7tOvfRSl84s= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?UklDQ3pGL01sRlJEYnB6Q1lqQmtPQnMvcUNrVlFGWUhHU203S3hTMjNuTzBN?= =?utf-8?B?clJ1c0gyZ1lQSDJHcllPZzQ0WHpaRzZYeEhOcmQzemxjYjZWMWhvcU1QVDNL?= =?utf-8?B?WkpJZk0vYzFJelpibUtmSVNybnZ2S2drdGxiSnZyUm5HL21IMnNTRGo2WDhs?= =?utf-8?B?dWFLU1lHa0dZK0V3QWIwT1ZKMGZKQ1ZxblBpQXp4M2E2ZGlXajlhOGRMSmpG?= =?utf-8?B?NmovK0RNT3NOWGFCelhKbW9RMkdNZitRelBBWVkrbHRrakpsUm84b29EZUQ0?= =?utf-8?B?d09QS0NpNHl5VS9PR1l4Y0ZzWXdOTHArWnMxcklwZ3Q5aFQ0SnFiazZLVENY?= =?utf-8?B?cXl2SVA3a3l4SlA3a3RTVlZaaFNFbDlmVUh4cXR6elo4dS9DcEk2dkl2SXkx?= =?utf-8?B?aG9tMlZPTVBKNFArVHdwWk1vUEtyWGw1R0s5Rmkwb0pGdXNGN0xuSTdpR1Bo?= =?utf-8?B?VG5NdDRqTExNU3pvSnZvL1lBSE1iVFNQMlZuS3RKYUpCWStBMHZKa3cxVUxt?= =?utf-8?B?Wlh6VTBBYW5CdVdPbkRHWVFiQlkwY0xLeStGVGJodjNyZzhMc0FjeU5IN0Q3?= =?utf-8?B?a0YwQkM1YUZOMTJUQ1ZBTzRNOHljajdlb29SQTBTdmtkblFYemN2MjFzYTJG?= =?utf-8?B?a0VDSkNuSVE0YkxjQ1ZXV1NUdFFqbEIzcUppRGpjMko0ZDNiSWhDOHdJS3Ax?= =?utf-8?B?ZE9NcHRSOHpIeG1TWUp3Y0tQeHdnQnFna1BWS0pPYUJsQ0hIbHdFVitGRS9k?= =?utf-8?B?QUc2NmhnQUVUdjhpUk9HVVlHTU84Z3ZBMXpqa2hETE1CSTBMSUxheUR2cmlu?= =?utf-8?B?Y1B2TDdsZTRCR3h3Ny9aajBmS0t5MFU2am1xc2k2NmgwSDU3Z3M1OGxRa2ww?= =?utf-8?B?cmU1UFNaUkhpMi9kNFFZendCNTM5MnpDYnU1YVpVTTloR2tiWnpoaklsUnRr?= =?utf-8?B?VXpzZDNnbjBrbHNQclFuazEvZHBHWEZGWDFoKzgwQ2RGOW90enRzaGhiaXlq?= =?utf-8?B?YUE3RjhtbWxyc3VVeXU2R29pYUNBY1BLQXpybzRXRFFqcTFIN05FN2RyL2oz?= =?utf-8?B?d3BoNXNJU3JEYS9KZHJHeGc2K1d1aGh5QmQ5azRmc2ZubEhKalFsU3FzNDA1?= =?utf-8?B?bHFsaHlKbW1qOUF4bnNtMzNQczJPbU9icFNkdEVyZ0ZQUFg5SEJ2VjFsbTV5?= =?utf-8?B?WUo2OFQrRWNYT2d5NGRhSHB6SmV2eUs0Uy91QUZ4NkxndTJ0akNOTTBuYkRa?= =?utf-8?B?NGxPUm1tTllrSkpEYml0dWZxV1RnRFNpSHUvS3NEMGpyWkVIeXdwZk9QbEYv?= =?utf-8?B?eWt6UkxqWWRhTGtYRW1WY0l2NHdFQ0szdkJ5RGxLR0lDdkM3bnJRdGYyY1Zz?= =?utf-8?B?YkJGUHpxL0pHMko4WGR4eTBLdUFIREVreHhCOC9TYlprMzR3akFFdnNGaDg5?= =?utf-8?B?MFpMRUdXWnNObGNYMTkvVS9zaUFJaS8rYUhkZnhMTk5ybVloVks0U3ZHdDNv?= =?utf-8?B?NE5PRWZqOUo4K3d6SzM3MWZXd2ZlazNCL1J5ZzVMOGh0bG0zSXBnQnRHaGd6?= =?utf-8?B?L1V2cDV4NWZhNXVSb0oyNUxsUUZacDkrQkNCZnNzcE1MaUZZQnNBVE1raXha?= =?utf-8?B?Q3JZUXIvSFlnbnpIdEpMcGxkbTMvUkxGelhhRXdhVlJQamczNTR6VjRnKzFS?= =?utf-8?Q?8/u5Jkq78XkUC0kkBkE+?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: f9159016-ee6c-47f9-2196-08dbbdbabee0 X-MS-Exchange-CrossTenant-AuthSource: AS8P250MB0744.EURP250.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Sep 2023 11:29:56.9534 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8P250MB0245 Subject: Re: [FFmpeg-devel] [PATCH] Numeric truncation in svs.c:57 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: mezhuevtp@ispras.ru: > From: headshog > > Hi! We've been fuzzing `ffmpeg` with [sydr-fuzz](https://github.com/ispras/oss-sydr-fuzz) security predicates and we found numeric truncation error in `svs.c:57`. > In function `svs_read_header` on line 57 field `st->codecpar->sample_rate` has type `int`, the type of return value in `av_rescale_rnd` function is `int64_t`, so the numeric truncation may occur here. > Then value of `st->codecpar->sample_rate` is passed to `avpriv_set_pts_info` function parameter `unsgined int pts_den`. > In a way not to break API/ABI, I've added a checker for valid `sample_rate` value. > --- > libavformat/svs.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/libavformat/svs.c b/libavformat/svs.c > index b91d29f5a6..54f24f539c 100644 > --- a/libavformat/svs.c > +++ b/libavformat/svs.c > @@ -42,6 +42,11 @@ static int svs_read_header(AVFormatContext *s) > { > AVStream *st; > uint32_t pitch; > + int64_t rescale_val; > + > + rescale_val = av_rescale_rnd(pitch, 48000, 4096, AV_ROUND_INF); Using an uninitialized variable is supposed to fix something? > + if (rescale_val > INT_MAX) > + return AVERROR(ERANGE); > > st = avformat_new_stream(s, NULL); > if (!st) > @@ -54,7 +59,7 @@ static int svs_read_header(AVFormatContext *s) > st->codecpar->codec_type = AVMEDIA_TYPE_AUDIO; > st->codecpar->codec_id = AV_CODEC_ID_ADPCM_PSX; > st->codecpar->ch_layout = (AVChannelLayout)AV_CHANNEL_LAYOUT_STEREO; > - st->codecpar->sample_rate = av_rescale_rnd(pitch, 48000, 4096, AV_ROUND_INF); > + st->codecpar->sample_rate = rescale_val; > st->codecpar->block_align = 32; > st->start_time = 0; > if (s->pb->seekable & AVIO_SEEKABLE_NORMAL) _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".