Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed
From: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
To: ffmpeg-devel@ffmpeg.org
Subject: Re: [FFmpeg-devel] [PATCH 1/5] avcodec/aac/aacdec_usac: Test ac in usac
Date: Wed, 26 Jun 2024 21:45:55 +0200
Message-ID: <GV1SPRMB0034CA71F9B46FC890F7CAC48FD62@GV1SPRMB0034.EURP250.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <2c543b4f-a572-4bde-9981-41fe7a8eb3d5@lynne.ee>

Lynne via ffmpeg-devel:
> On 26/06/2024 01:57, Michael Niedermayer wrote:
>> On Wed, Jun 26, 2024 at 01:35:18AM +0200, Lynne via ffmpeg-devel wrote:
>>> On 24/06/2024 01:01, Michael Niedermayer wrote:
>>>> ff_aac_usac_config_decode() needs AACDecContext to be set but some
>>>> callers
>>>> pass NULL.
>>>>
>>>> I have no real testcase to implement/test this, so failing in this case
>>>> seems safest.
>>>>
>>>> Fixes: member access within null pointer of type 'AACDecContext'
>>>> (aka 'struct AACDecContext')
>>>> Fixes:
>>>> 69435/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AAC_LATM_fuzzer-5733527483121664
>>>>
>>>> Found-by: continuous fuzzing process
>>>> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
>>>> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>>>> ---
>>>>    libavcodec/aac/aacdec_usac.c | 3 +++
>>>>    1 file changed, 3 insertions(+)
>>>>
>>>> diff --git a/libavcodec/aac/aacdec_usac.c
>>>> b/libavcodec/aac/aacdec_usac.c
>>>> index 132ffee9c20..4856c1786b7 100644
>>>> --- a/libavcodec/aac/aacdec_usac.c
>>>> +++ b/libavcodec/aac/aacdec_usac.c
>>>> @@ -348,6 +348,9 @@ int ff_aac_usac_config_decode(AACDecContext *ac,
>>>> AVCodecContext *avctx,
>>>>        int map_pos_set = 0;
>>>>        uint8_t layout_map[MAX_ELEM_ID*4][3] = { 0 };
>>>> +    if (!ac)
>>>> +        return AVERROR_PATCHWELCOME;
>>>> +
>>>>        memset(usac, 0, sizeof(*usac));
>>>>        freq_idx = get_bits(gb, 5); /* usacSamplingFrequencyIndex */
>>>
>>> This doesn't seem possible at all.
>>> There are 2 callers, parse_audio_preroll and
>>> decode_audio_specific_config_gb. Both of these will crash way before the
>>> function is called.
>>>
>>> Could you at least get a backtrace?
>>
>> sure
>>
>> libavcodec/aac/aacdec_usac.c:402:39: runtime error: member access
>> within null pointer of type 'AACDecContext' (aka 'struct AACDecContext')
>> SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
>> libavcodec/aac/aacdec_usac.c:402:39 in
>> AddressSanitizer:DEADLYSIGNAL
>> =================================================================
>> ==215602==ERROR: AddressSanitizer: SEGV on unknown address
>> 0x000000005b10 (pc 0x00000154771e bp 0x7ffcf5049e90 sp 0x7ffcf5049e70 T0)
>> ==215602==The signal is caused by a READ memory access.
>>      #0 0x154771d in av_channel_layout_uninit
>> ffmpeg/libavutil/channel_layout.c:439:25
>>      #1 0x57346e in ff_aac_usac_config_decode
>> ffmpeg/libavcodec/aac/aacdec_usac.c:402:9
>>      #2 0x500a0a in decode_audio_specific_config_gb
>> ffmpeg/libavcodec/aac/aacdec.c:1050:20
>>      #3 0x50a542 in latm_decode_audio_specific_config
>> ffmpeg/libavcodec/aac/aacdec_latm.h:80:21
>>      #4 0x4f8638 in read_stream_mux_config
>> ffmpeg/libavcodec/aac/aacdec_latm.h:160:24
>>      #5 0x4f8638 in read_audio_mux_element
>> ffmpeg/libavcodec/aac/aacdec_latm.h:233
>>      #6 0x4f8638 in latm_decode_frame
>> ffmpeg/libavcodec/aac/aacdec_latm.h:275
>>      #7 0x68f26f in decode_simple_internal
>> ffmpeg/libavcodec/decode.c:429:20
>>      #8 0x68f26f in decode_simple_receive_frame
>> ffmpeg/libavcodec/decode.c:600
>>      #9 0x68f26f in decode_receive_frame_internal
>> ffmpeg/libavcodec/decode.c:631
>>      #10 0x68dc9d in avcodec_send_packet
>> ffmpeg/libavcodec/decode.c:721:15
>>      #11 0x4d1e55 in LLVMFuzzerTestOneInput
>> ffmpeg/tools/target_dec_fuzzer.c:534:25
>>
>>
>> [...]
>>
>>
>>
>> _______________________________________________
>> ffmpeg-devel mailing list
>> ffmpeg-devel@ffmpeg.org
>> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>>
>> To unsubscribe, visit link above, or email
>> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
> 
> This patch actually is correct.
> USAC in LATM is not supported AFAIK.
> 
> LGTM with a note like:
> "Happens only when the LATM decoder is used, and USAC is not supported
> in LATM".
> 

But then it is not PATCHWELCOME, but INVALIDDATA.

- Andreas

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

  parent reply	other threads:[~2024-06-26 19:46 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-23 23:01 Michael Niedermayer
2024-06-23 23:01 ` [FFmpeg-devel] [PATCH 2/5] avcodec/hevc/hevcdec: Do not allow changes to parameter sets between slices Michael Niedermayer
2024-06-25  8:59   ` Anton Khirnov
2024-06-25 23:27     ` Michael Niedermayer
2024-06-26  6:36       ` Anton Khirnov
2024-06-23 23:01 ` [FFmpeg-devel] [PATCH 3/5] avcodec/hevc/hevcdec: SPS not set (or cleared) after frame start Michael Niedermayer
2024-06-25  9:00   ` Anton Khirnov
2024-06-25 23:52     ` Michael Niedermayer
2024-06-26  6:38       ` Anton Khirnov
2024-06-26 23:05         ` Michael Niedermayer
2024-06-23 23:01 ` [FFmpeg-devel] [PATCH 4/5] avcodec/hevc/hevcdec: Do not allow slices to depend on failed slices Michael Niedermayer
2024-06-25  9:04   ` Anton Khirnov
2024-06-23 23:01 ` [FFmpeg-devel] [PATCH 5/5] avformat/iamf: Check substreams in ff_iamf_free_audio_element() Michael Niedermayer
2024-07-15 14:25   ` Michael Niedermayer
2024-07-15 15:16   ` James Almer
2024-06-25 23:35 ` [FFmpeg-devel] [PATCH 1/5] avcodec/aac/aacdec_usac: Test ac in usac Lynne via ffmpeg-devel
2024-06-25 23:57   ` Michael Niedermayer
2024-06-26  6:58     ` Lynne via ffmpeg-devel
2024-06-26 18:57       ` Michael Niedermayer
2024-06-26 19:45       ` Andreas Rheinhardt [this message]
2024-06-26 22:46         ` Lynne via ffmpeg-devel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=GV1SPRMB0034CA71F9B46FC890F7CAC48FD62@GV1SPRMB0034.EURP250.PROD.OUTLOOK.COM \
    --to=andreas.rheinhardt@outlook.com \
    --cc=ffmpeg-devel@ffmpeg.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git