Opened 3 years ago

Closed 4 months ago

#8312 closed defect (worksforme)

signed integer overflow at libavcodec/elbg.c

Reported by: Suhwan Owned by:
Priority: normal Component: undetermined
Version: git-master Keywords: ubsan
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
There're 3 signed integer overflow at libavcodec/elbg.c

I compiled ffmpeg with "--toolchain=clang-usan" to check the undefined-behaviours and attached log file.
How to reproduce:

% ffmpeg_g -y -i $PoC1 -i $PoC2 -target dvd -loglevel 0 -psnr -vbsf null -c cinepak tmp.pmp

ffmpeg version N-95458-g9f023017ab Copyright (c) 2000-2019 the FFmpeg developers
built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-usan

Here's UBSAN log

libavcodec/elbg.c:426:25: runtime error: signed integer overflow: 2147476432 + 25361 cannot be represented in type 'int'

Thread 1 "ffmpeg_g" hit Breakpoint 1, 0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
(gdb) bt
#0  0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
#1  0x000000000042b0eb in void handleIntegerOverflowImpl<__ubsan::Value>(__ubsan::OverflowData*, unsigned long, char const*, __ubsan::Value, __ubsan::ReportOptions) ()
#2  0x000000000042c8bf in __ubsan_handle_add_overflow ()
#3  0x0000000001fc56cd in avpriv_do_elbg (points=<optimized out>, dim=6, numpoints=103680, codebook=<optimized out>, 
    numCB=<optimized out>, max_steps=1, closest_cb=0x7ffff438b040, rand_state=0x93c4cf8) at libavcodec/elbg.c:426
#4  0x0000000001d57065 in quantize (s=<optimized out>, h=<optimized out>, data=<optimized out>, linesize=<optimized out>, 
    v1mode=<optimized out>, info=<optimized out>, encoding=<optimized out>) at libavcodec/cinepakenc.c:781
#5  0x0000000001d52b71 in rd_strip (y=0, s=<optimized out>, h=<optimized out>, keyframe=<optimized out>, last_data=<optimized out>, 
    last_linesize=<optimized out>, data=<optimized out>, linesize=<optimized out>, scratch_data=<optimized out>, 
    scratch_linesize=<optimized out>, buf=<optimized out>, best_score=<optimized out>) at libavcodec/cinepakenc.c:920
#6  rd_frame (s=<optimized out>, frame=<optimized out>, isakeyframe=<optimized out>, buf=<optimized out>, buf_size=0)
    at libavcodec/cinepakenc.c:1101
#7  0x0000000001d50742 in cinepak_encode_frame (avctx=<optimized out>, pkt=<optimized out>, frame=<optimized out>, 
    got_packet=0x7fffffffc164) at libavcodec/cinepakenc.c:1162
#8  0x0000000001fd2adf in avcodec_encode_video2 (avctx=0x93c4800, avpkt=<optimized out>, frame=<optimized out>, 
    got_packet_ptr=0x7fffffffc164) at libavcodec/encode.c:302
#9  0x0000000001fd4810 in do_encode (avctx=0x93c4800, frame=0x93dfe80, got_packet=0x7fffffffc164) at libavcodec/encode.c:371
#10 0x0000000001fd438a in avcodec_send_frame (avctx=0x93c4800, frame=0x93dfe80) at libavcodec/encode.c:420
#11 0x00000000004c51f8 in do_video_out (of=0x93b91c0, ost=<optimized out>, next_picture=<optimized out>, 
    sync_ipts=4.9406564584124654e-324) at fftools/ffmpeg.c:1287
#12 0x00000000004c0f2b in reap_filters (flush=0) at fftools/ffmpeg.c:1504
#13 0x000000000048d682 in transcode_step () at fftools/ffmpeg.c:4638
#14 transcode () at fftools/ffmpeg.c:4682
#15 0x0000000000487dc4 in main (argc=34, argv=<optimized out>) at fftools/ffmpeg.c:4884
(gdb) c
Continuing.
libavcodec/elbg.c:427:48: runtime error: signed integer overflow: 2147476432 + 25361 cannot be represented in type 'int'

Thread 1 "ffmpeg_g" hit Breakpoint 1, 0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
(gdb) bt
#0  0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()
#1  0x000000000042b0eb in void handleIntegerOverflowImpl<__ubsan::Value>(__ubsan::OverflowData*, unsigned long, char const*, __ubsan::Value, __ubsan::ReportOptions) ()
#2  0x000000000042c8bf in __ubsan_handle_add_overflow ()
#3  0x0000000001fc54b1 in avpriv_do_elbg (points=<optimized out>, dim=6, numpoints=103680, codebook=<optimized out>, 
    numCB=<optimized out>, max_steps=1, closest_cb=0x7ffff438b040, rand_state=0x93c4cf8) at libavcodec/elbg.c:427
#4  0x0000000001d57065 in quantize (s=<optimized out>, h=<optimized out>, data=<optimized out>, linesize=<optimized out>, 
    v1mode=<optimized out>, info=<optimized out>, encoding=<optimized out>) at libavcodec/cinepakenc.c:781
#5  0x0000000001d52b71 in rd_strip (y=0, s=<optimized out>, h=<optimized out>, keyframe=<optimized out>, last_data=<optimized out>, 
    last_linesize=<optimized out>, data=<optimized out>, linesize=<optimized out>, scratch_data=<optimized out>, 
    scratch_linesize=<optimized out>, buf=<optimized out>, best_score=<optimized out>) at libavcodec/cinepakenc.c:920
#6  rd_frame (s=<optimized out>, frame=<optimized out>, isakeyframe=<optimized out>, buf=<optimized out>, buf_size=0)
    at libavcodec/cinepakenc.c:1101
#7  0x0000000001d50742 in cinepak_encode_frame (avctx=<optimized out>, pkt=<optimized out>, frame=<optimized out>, 
    got_packet=0x7fffffffc164) at libavcodec/cinepakenc.c:1162
#8  0x0000000001fd2adf in avcodec_encode_video2 (avctx=0x93c4800, avpkt=<optimized out>, frame=<optimized out>, 
    got_packet_ptr=0x7fffffffc164) at libavcodec/encode.c:302
#9  0x0000000001fd4810 in do_encode (avctx=0x93c4800, frame=0x93dfe80, got_packet=0x7fffffffc164) at libavcodec/encode.c:371
#10 0x0000000001fd438a in avcodec_send_frame (avctx=0x93c4800, frame=0x93dfe80) at libavcodec/encode.c:420
#11 0x00000000004c51f8 in do_video_out (of=0x93b91c0, ost=<optimized out>, next_picture=<optimized out>, 
    sync_ipts=4.9406564584124654e-324) at fftools/ffmpeg.c:1287
#12 0x00000000004c0f2b in reap_filters (flush=0) at fftools/ffmpeg.c:1504
#13 0x000000000048d682 in transcode_step () at fftools/ffmpeg.c:4638
#14 transcode () at fftools/ffmpeg.c:4682
#15 0x0000000000487dc4 in main (argc=34, argv=<optimized out>) at fftools/ffmpeg.c:4884
(gdb) c
Continuing.
libavcodec/elbg.c:451:26: runtime error: signed integer overflow: 2147483647 - -1719047551 cannot be represented in type 'int'

Thread 1 "ffmpeg_g" hit Breakpoint 1, 0x00000000004288b0 in __ubsan::ScopedReport::~ScopedReport() ()

Please confirm.
Thanks

Attachments (2)

PoC1.rle (2.0 KB ) - added by Suhwan 3 years ago.
poc1
PoC2.pict (1.4 KB ) - added by Suhwan 3 years ago.
poc2

Download all attachments as: .zip

Change History (3)

by Suhwan, 3 years ago

Attachment: PoC1.rle added

poc1

by Suhwan, 3 years ago

Attachment: PoC2.pict added

poc2

comment:1 by Michael Niedermayer, 4 months ago

Resolution: worksforme
Status: newclosed

Does not reproduce
also there have been many changes and bugfixed to elbg since this bug report was created so its plausible this was fixed
please reopen if it still replicates for you

Note: See TracTickets for help on using tickets.