Opened 4 years ago

Closed 2 years ago

#8596 closed defect (fixed)

UBSan: signed integer overflow in oggdec.c:651

Reported by: andreafioraldi Owned by:
Priority: normal Component: avformat
Version: git-master Keywords: ogg ubsan
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:

UBSan reports: signed integer overflow: -9223372036854775808 - 10739712 cannot be represented in type 'long'

Looks like that s->streams[i]->duration = -9223372036854775808 and s->streams[i]->start_time = 10739712.

Note that -9223372036854775808 is the minimum value for a long, probably this value should not be here.

At line 651 of oggdec.c there is:

s->streams[i]->duration -= s->streams[i]->start_time;

This is ofc UB.

How to reproduce:

% ffmpeg -i id:000750,sig:04,src:005641,time:94391508,op:MOpt_havoc,rep:4 out.mp3
ffmpeg version N-97118-gfa164bc50e Copyright (c) 2000-2020 the FFmpeg developers
  built with clang version 10.0.0 (git@github.com:andreafioraldi/ConstrainedMemorySanitizer.git 5b365c37a959d429121850f6d91ed160d4cdf76f)
  configuration: --cc=clang-10 --cxx=clang++-10
  libavutil      56. 42.102 / 56. 42.102
  libavcodec     58. 77.101 / 58. 77.101
  libavformat    58. 42.100 / 58. 42.100
  libavdevice    58.  9.103 / 58.  9.103
  libavfilter     7. 77.101 /  7. 77.101
  libswscale      5.  6.101 /  5.  6.101
  libswresample   3.  6.100 /  3.  6.100
[ogg @ 0x61b000000080] Codec not found
[Vorbis parser @ 0x613000000200] 8 modes (either a false positive or a sample from an unknown encoder) is not implemented. Update your FFmpeg version to the newest one from Git. If the problem still occurs, it means that your file has a feature which has not been implemented.
[Vorbis parser @ 0x613000000200] If you want to help, upload a sample of this file to ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. (ffmpeg-devel@ffmpeg.org)
[ogg @ 0x61b000000080] invalid pts -72057594037927936
libavformat/oggdec.c:651:41: runtime error: signed integer overflow: -9223372036854775808 - 10739712 cannot be represented in type 'long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavformat/oggdec.c:651:41 in 
[ogg @ 0x61b000000080] New streams are not supposed to be added in between Ogg context save/restore operations.
[ogg @ 0x61b000000080] failed to create or replace stream
[vorbis @ 0x619000001980] Codebook lookup type not supported. 
[vorbis @ 0x619000001980]  Vorbis setup header packet corrupt (codebooks). 
[vorbis @ 0x619000001980] Setup header corrupt.
[ogg @ 0x61b000000080] Failed to open codec in avformat_find_stream_info
[vorbis @ 0x619000001980] Codebook lookup type not supported. 
[vorbis @ 0x619000001980]  Vorbis setup header packet corrupt (codebooks). 
[vorbis @ 0x619000001980] Setup header corrupt.
[ogg @ 0x61b000000080] Codec not found
    Last message repeated 1 times
[ogg @ 0x61b000000080] Cannot identify new stream
[ogg @ 0x61b000000080] failed to create or replace stream
[ogg @ 0x61b000000080] Could not find codec parameters for stream 1 (Unknown: none): unknown codec
Consider increasing the value for the 'analyzeduration' and 'probesize' options
[ogg @ 0x61b000000080] Could not find codec parameters for stream 3 (Unknown: none): unknown codec
Consider increasing the value for the 'analyzeduration' and 'probesize' options
[ogg @ 0x61b000000080] Could not find codec parameters for stream 4 (Unknown: none): unknown codec
Consider increasing the value for the 'analyzeduration' and 'probesize' options
Guessed Channel Layout for Input Stream #0.2 : stereo
Input #0, ogg, from 'output/a1/crashes/id:000750,sig:04,src:005641,time:94391508,op:MOpt_havoc,rep:4':
  Duration: 00:00:00.02, start: 2062753000.640726, bitrate: 1679 kb/s
    Stream #0:0: Data: none
    Stream #0:1: Unknown: none
    Stream #0:2: Audio: vorbis, 44100 Hz, stereo, fltp, 79 kb/s
    Metadata:
      ENCODER         : ff
                      : Z���ޙeora 0.10.R
    Stream #0:3: Unknown: none
    Stream #0:4: Unknown: none
Automatic encoder selection failed for output stream #0:0. Default encoder for format mp3 (codec mp3) is probably disabled. Please choose an encoder manually.
Error selecting an encoder for stream 0:0

Attachments (1)

id:000750,sig:04,src:005641,time:94391508,op:MOpt_havoc,rep:4 (4.8 KB ) - added by andreafioraldi 4 years ago.

Download all attachments as: .zip

Change History (3)

comment:1 by Carl Eugen Hoyos, 4 years ago

Keywords: ogg ubsan added

comment:2 by Elon Musk, 2 years ago

Resolution: fixed
Status: newclosed

By inspecting the demuxer code I see this have been resolved.

Please reopen if this still can be reproduced latest ffmpeg.

Note: See TracTickets for help on using tickets.