Opened 6 years ago

Last modified 6 years ago

#6712 new defect

Type mismatch between vorbis_context_s::audio_samplerate and AVCodecContext::sample_rate

Reported by: jrummell Owned by:
Priority: normal Component: avcodec
Version: git-master Keywords:
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

vorbis_parse_id_hdr() extracts the audio sample rate into vorbis_context_s::audio_samplerate, which is a uint32_t. This seems to match what's in the spec). However, later on, when passing the value in AVCodecContext::sample_rate, it does a conversion to int without checking. As a result, Vorbis headers with a large audio sample rate end up passing a negative value in |sample_rate|.

This was discovered by Chromium's fuzzers (http://crbug.com/762479).

This also happens for |audio_channels|, although it is a uint8_t converted to an int so it's not a problem.

Repro. ffmpeg notes that the sample_rate is negative.

ffmpeg -i clusterfuzz-testcase-6655114243997696 test.mp4
ffmpeg version N-86098-g3fefaea Copyright (c) 2000-2017 the FFmpeg developers
  built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
  libavutil      55. 63.100 / 55. 63.100
  libavcodec     57. 96.101 / 57. 96.101
  libavformat    57. 72.101 / 57. 72.101
  libavdevice    57.  7.100 / 57.  7.100
  libavfilter     6. 89.101 /  6. 89.101
  libswscale      4.  7.101 /  4.  7.101
  libswresample   2.  8.100 /  2.  8.100
  libpostproc    54.  6.100 / 54.  6.100
Input #0, matroska,webm, from 'clusterfuzz-testcase-6655114243997696':
  Metadata:
    encoder         : Lavf55.37.102
  Duration: 00:00:02.77, start: 0.000000, bitrate: 14 kb/s
    Stream #0:0: Audio: vorbis, -33506432 Hz, stereo, fltp (default)
Stream mapping:
  Stream #0:0 -> #0:0 (vorbis (native) -> aac (native))
Press [q] to stop, [?] for help
[vorbis @ 0x298a800] Sample rate -33506432 invalid
Error while processing the decoded data for stream #0:0
Conversion failed!

Attachments (1)

clusterfuzz-testcase-6655114243997696 (4.9 KB ) - added by jrummell 6 years ago.

Download all attachments as: .zip

Change History (4)

by jrummell, 6 years ago

comment:1 by Carl Eugen Hoyos, 6 years ago

Is the sample_rate valid or is FFmpeg supposed to error out?

comment:2 by jrummell, 6 years ago

As I read the Vorbis spec, the sample_rate specified in the test file is 4261460864 Hz (as it's unsigned 32 bits). The conversion to int results in -33506432 Hz. vorbis_parse_id_hdr() doesn't report an error with the header, so it appears valid. Looks like ffmpeg.c later complains about the negative sample_rate.

As this file was generated by a fuzzer, I don't know if there are any valid Vorbis files with sample_rate > 2147483647 Hz.

comment:3 by Hendrik, 6 years ago

Considering it does error out, not sure what else its supposed to do? Error out differently with a positive huge sample rate? Cosmetic at best, isn't it?

We can't possibly handle sample rates over INT_MAX either way, the sample_rate field is just an int in generic code, and as such part of API and ABI, so changing that would be complex. And I don't think you are advocating for that either.

Note: See TracTickets for help on using tickets.