Opened 4 years ago
Closed 2 years ago
#8312 closed defect (worksforme)
signed integer overflow at libavcodec/elbg.c
| Reported by: | Suhwan | Owned by: | |
|---|---|---|---|
| Priority: | normal | Component: | undetermined |
| Version: | git-master | Keywords: | ubsan |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
There're 3 signed integer overflow at libavcodec/elbg.c
I compiled ffmpeg with "--toolchain=clang-usan" to check the undefined-behaviours and attached log file.
How to reproduce:
% ffmpeg_g -y -i $PoC1 -i $PoC2 -target dvd -loglevel 0 -psnr -vbsf null -c cinepak tmp.pmp ffmpeg version N-95458-g9f023017ab Copyright (c) 2000-2019 the FFmpeg developers built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final) configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-usan
Here's UBSAN log
libavcodec/elbg.c:426:25: runtime error: signed integer overflow: 2147476432 + 25361 cannot be represented in type 'int'
Thread 1 "ffmpeg_g" hit Breakpoint 1, 0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
(gdb) bt
#0 0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
#1 0x000000000042b0eb in void handleIntegerOverflowImpl<__ubsan::Value>(__ubsan::OverflowData*, unsigned long, char const*, __ubsan::Value, __ubsan::ReportOptions) ()
#2 0x000000000042c8bf in __ubsan_handle_add_overflow ()
#3 0x0000000001fc56cd in avpriv_do_elbg (points=<optimized out>, dim=6, numpoints=103680, codebook=<optimized out>,
numCB=<optimized out>, max_steps=1, closest_cb=0x7ffff438b040, rand_state=0x93c4cf8) at libavcodec/elbg.c:426
#4 0x0000000001d57065 in quantize (s=<optimized out>, h=<optimized out>, data=<optimized out>, linesize=<optimized out>,
v1mode=<optimized out>, info=<optimized out>, encoding=<optimized out>) at libavcodec/cinepakenc.c:781
#5 0x0000000001d52b71 in rd_strip (y=0, s=<optimized out>, h=<optimized out>, keyframe=<optimized out>, last_data=<optimized out>,
last_linesize=<optimized out>, data=<optimized out>, linesize=<optimized out>, scratch_data=<optimized out>,
scratch_linesize=<optimized out>, buf=<optimized out>, best_score=<optimized out>) at libavcodec/cinepakenc.c:920
#6 rd_frame (s=<optimized out>, frame=<optimized out>, isakeyframe=<optimized out>, buf=<optimized out>, buf_size=0)
at libavcodec/cinepakenc.c:1101
#7 0x0000000001d50742 in cinepak_encode_frame (avctx=<optimized out>, pkt=<optimized out>, frame=<optimized out>,
got_packet=0x7fffffffc164) at libavcodec/cinepakenc.c:1162
#8 0x0000000001fd2adf in avcodec_encode_video2 (avctx=0x93c4800, avpkt=<optimized out>, frame=<optimized out>,
got_packet_ptr=0x7fffffffc164) at libavcodec/encode.c:302
#9 0x0000000001fd4810 in do_encode (avctx=0x93c4800, frame=0x93dfe80, got_packet=0x7fffffffc164) at libavcodec/encode.c:371
#10 0x0000000001fd438a in avcodec_send_frame (avctx=0x93c4800, frame=0x93dfe80) at libavcodec/encode.c:420
#11 0x00000000004c51f8 in do_video_out (of=0x93b91c0, ost=<optimized out>, next_picture=<optimized out>,
sync_ipts=4.9406564584124654e-324) at fftools/ffmpeg.c:1287
#12 0x00000000004c0f2b in reap_filters (flush=0) at fftools/ffmpeg.c:1504
#13 0x000000000048d682 in transcode_step () at fftools/ffmpeg.c:4638
#14 transcode () at fftools/ffmpeg.c:4682
#15 0x0000000000487dc4 in main (argc=34, argv=<optimized out>) at fftools/ffmpeg.c:4884
(gdb) c
Continuing.
libavcodec/elbg.c:427:48: runtime error: signed integer overflow: 2147476432 + 25361 cannot be represented in type 'int'
Thread 1 "ffmpeg_g" hit Breakpoint 1, 0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
(gdb) bt
#0 0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
#1 0x000000000042b0eb in void handleIntegerOverflowImpl<__ubsan::Value>(__ubsan::OverflowData*, unsigned long, char const*, __ubsan::Value, __ubsan::ReportOptions) ()
#2 0x000000000042c8bf in __ubsan_handle_add_overflow ()
#3 0x0000000001fc54b1 in avpriv_do_elbg (points=<optimized out>, dim=6, numpoints=103680, codebook=<optimized out>,
numCB=<optimized out>, max_steps=1, closest_cb=0x7ffff438b040, rand_state=0x93c4cf8) at libavcodec/elbg.c:427
#4 0x0000000001d57065 in quantize (s=<optimized out>, h=<optimized out>, data=<optimized out>, linesize=<optimized out>,
v1mode=<optimized out>, info=<optimized out>, encoding=<optimized out>) at libavcodec/cinepakenc.c:781
#5 0x0000000001d52b71 in rd_strip (y=0, s=<optimized out>, h=<optimized out>, keyframe=<optimized out>, last_data=<optimized out>,
last_linesize=<optimized out>, data=<optimized out>, linesize=<optimized out>, scratch_data=<optimized out>,
scratch_linesize=<optimized out>, buf=<optimized out>, best_score=<optimized out>) at libavcodec/cinepakenc.c:920
#6 rd_frame (s=<optimized out>, frame=<optimized out>, isakeyframe=<optimized out>, buf=<optimized out>, buf_size=0)
at libavcodec/cinepakenc.c:1101
#7 0x0000000001d50742 in cinepak_encode_frame (avctx=<optimized out>, pkt=<optimized out>, frame=<optimized out>,
got_packet=0x7fffffffc164) at libavcodec/cinepakenc.c:1162
#8 0x0000000001fd2adf in avcodec_encode_video2 (avctx=0x93c4800, avpkt=<optimized out>, frame=<optimized out>,
got_packet_ptr=0x7fffffffc164) at libavcodec/encode.c:302
#9 0x0000000001fd4810 in do_encode (avctx=0x93c4800, frame=0x93dfe80, got_packet=0x7fffffffc164) at libavcodec/encode.c:371
#10 0x0000000001fd438a in avcodec_send_frame (avctx=0x93c4800, frame=0x93dfe80) at libavcodec/encode.c:420
#11 0x00000000004c51f8 in do_video_out (of=0x93b91c0, ost=<optimized out>, next_picture=<optimized out>,
sync_ipts=4.9406564584124654e-324) at fftools/ffmpeg.c:1287
#12 0x00000000004c0f2b in reap_filters (flush=0) at fftools/ffmpeg.c:1504
#13 0x000000000048d682 in transcode_step () at fftools/ffmpeg.c:4638
#14 transcode () at fftools/ffmpeg.c:4682
#15 0x0000000000487dc4 in main (argc=34, argv=<optimized out>) at fftools/ffmpeg.c:4884
(gdb) c
Continuing.
libavcodec/elbg.c:451:26: runtime error: signed integer overflow: 2147483647 - -1719047551 cannot be represented in type 'int'
Thread 1 "ffmpeg_g" hit Breakpoint 1, 0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
Please confirm.
Thanks
Attachments (2)
Change History (3)
by , 4 years ago
comment:1 by , 2 years ago
| Resolution: | → worksforme |
|---|---|
| Status: | new → closed |
Does not reproduce
also there have been many changes and bugfixed to elbg since this bug report was created so its plausible this was fixed
please reopen if it still replicates for you
Note:
See TracTickets
for help on using tickets.
poc1