Context Navigation

#8306 closed defect (fixed)

left shift of negative value at libavcodec/adpcm.c

Reported by:	Suhwan	Owned by:
Priority:	normal	Component:	undetermined
Version:	git-master	Keywords:	ubsan
Cc:		Blocked By:
Blocking:		Reproduced by developer:	no
Analyzed by developer:	no

Description

Summary of the bug:
There are two left shift of negative value at libavcodec/adpcm.c
I compiled ffmpeg with "--toolchain=clang-usan" to check the undefined-behaviours and attached log file.
How to reproduce:

% ffmpeg_g -t 3 -y -i $PoC tmp.mxf

ffmpeg version N-95446-gfddef964e8 Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-usan

Here's UBSAN log

libavcodec/adpcm.c:1726:46: runtime error: left shift of negative value -1

Breakpoint 1, 0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
(gdb) bt
#0  0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
#1  0x000000000042a9a0 in handleShiftOutOfBoundsImpl(__ubsan::ShiftOutOfBoundsData*, unsigned long, unsigned long, __ubsan::ReportOptions) ()
#2  0x000000000042cb41 in __ubsan_handle_shift_out_of_bounds ()
#3  0x00000000044fce13 in adpcm_decode_frame (avctx=0x93b6840, data=0x0, 
    got_frame_ptr=0x7fffffffc568, avpkt=0x93b9b00) at libavcodec/adpcm.c:1726
#4  0x0000000001e104c6 in decode_simple_internal (avctx=0x93b6840, 
    frame=<optimized out>) at libavcodec/decode.c:432
#5  0x0000000001dfccc5 in decode_simple_receive_frame (avctx=<optimized out>, 
    frame=<optimized out>) at libavcodec/decode.c:628
#6  decode_receive_frame_internal (avctx=0x93b6840, frame=0x93c2b40)
    at libavcodec/decode.c:646
#7  0x0000000001dfc783 in avcodec_send_packet (avctx=0x93b6840, 
    avpkt=<optimized out>) at libavcodec/decode.c:704
#8  0x000000000049a167 in decode (avctx=<optimized out>, frame=0x93c30c0, 
    pkt=<optimized out>, got_frame=<optimized out>) at fftools/ffmpeg.c:2230
#9  decode_audio (ist=<optimized out>, pkt=0x7fffffffc8e0, 
    got_output=<optimized out>, decode_failed=<optimized out>)
    at fftools/ffmpeg.c:2287
#10 process_input_packet (ist=<optimized out>, pkt=0x7fffffffca30, no_eof=0)
    at fftools/ffmpeg.c:2609
#11 0x00000000004bf110 in process_input (file_index=<optimized out>)
    at fftools/ffmpeg.c:4508
#12 0x000000000048d60b in transcode_step () at fftools/ffmpeg.c:4628
#13 transcode () at fftools/ffmpeg.c:4682
#14 0x0000000000487dc4 in main (argc=7, argv=<optimized out>)
    at fftools/ffmpeg.c:4884
(gdb) c
Continuing.
libavcodec/adpcm.c:1726:72: runtime error: left shift of negative value -1

Breakpoint 1, 0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
(gdb) bt
#0  0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
#1  0x000000000042a9a0 in handleShiftOutOfBoundsImpl(__ubsan::ShiftOutOfBoundsData*, unsigned long, unsigned long, __ubsan::ReportOptions) ()
#2  0x000000000042cb41 in __ubsan_handle_shift_out_of_bounds ()
#3  0x00000000044fce6d in adpcm_decode_frame (avctx=0x93b6840, data=0x0, 
    got_frame_ptr=0x7fffffffc568, avpkt=0x93b9b00) at libavcodec/adpcm.c:1726
#4  0x0000000001e104c6 in decode_simple_internal (avctx=0x93b6840, 
    frame=<optimized out>) at libavcodec/decode.c:432
#5  0x0000000001dfccc5 in decode_simple_receive_frame (avctx=<optimized out>, 
    frame=<optimized out>) at libavcodec/decode.c:628
#6  decode_receive_frame_internal (avctx=0x93b6840, frame=0x93c2b40)
    at libavcodec/decode.c:646
#7  0x0000000001dfc783 in avcodec_send_packet (avctx=0x93b6840, 
    avpkt=<optimized out>) at libavcodec/decode.c:704
#8  0x000000000049a167 in decode (avctx=<optimized out>, frame=0x93c30c0, 
    pkt=<optimized out>, got_frame=<optimized out>) at fftools/ffmpeg.c:2230
#9  decode_audio (ist=<optimized out>, pkt=0x7fffffffc8e0, 
    got_output=<optimized out>, decode_failed=<optimized out>)
    at fftools/ffmpeg.c:2287
#10 process_input_packet (ist=<optimized out>, pkt=0x7fffffffca30, no_eof=0)
    at fftools/ffmpeg.c:2609
#11 0x00000000004bf110 in process_input (file_index=<optimized out>)
    at fftools/ffmpeg.c:4508
#12 0x000000000048d60b in transcode_step () at fftools/ffmpeg.c:4628
#13 transcode () at fftools/ffmpeg.c:4682
#14 0x0000000000487dc4 in main (argc=7, argv=<optimized out>)
    at fftools/ffmpeg.c:4884

Please confirm.
Thanks

Attachments (1)

PoC_adpcm.isobrl6 (2.4 KB ) - added by Suhwan 5 years ago.: poc

Download all attachments as: .zip

Change History (2)

by Suhwan, 5 years ago

Attachment:	PoC_adpcm.isobrl6 added

poc

comment:1 by Suhwan, 5 years ago

Resolution:	→ fixed
Status:	new → closed

fixed in 34e701ff93b664703e1bc1b1a6073fa058b02f34

Note: See TracTickets for help on using tickets.

Download in other formats: