Opened 5 years ago

Closed 3 years ago

#8593 closed defect (fixed)

UBSan: signed integer overflow

Reported by: andreafioraldi Owned by:
Priority: normal Component: avformat
Version: git-master Keywords: wav ubsan
Cc: Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:

This multiplication at line 593 of wavdec.c causes an overflow:

st->codecpar->block_align *= st->codecpar->channels;

How to reproduce:

% ffmpeg -i id:000157,sig:04,src:000055,time:3158020,op:MOpt_havoc,rep:128 out.mp3
ffmpeg version N-97118-gfa164bc50e Copyright (c) 2000-2020 the FFmpeg developers
  built with clang version 10.0.0 (git@github.com:andreafioraldi/ConstrainedMemorySanitizer.git 5b365c37a959d429121850f6d91ed160d4cdf76f)
  configuration: --cc=clang-10 --cxx=clang++-10
  libavutil      56. 42.102 / 56. 42.102
  libavcodec     58. 77.101 / 58. 77.101
  libavformat    58. 42.100 / 58. 42.100
  libavdevice    58.  9.103 / 58.  9.103
  libavfilter     7. 77.101 /  7. 77.101
  libswscale      5.  6.101 /  5.  6.101
  libswresample   3.  6.100 /  3.  6.100
libavformat/wavdec.c:593:35: runtime error: signed integer overflow: 65035 * 65281 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavformat/wavdec.c:593:35 in 
[NULL @ 0x619000000580] Too many or invalid channels: 65281
[wav @ 0x61b000000080] Failed to open codec in avformat_find_stream_info
[NULL @ 0x619000000580] Too many or invalid channels: 65281
[wav @ 0x61b000000080] Packet corrupt (stream = 0, dts = NOPTS).
Input #0, wav, from 'output/a1/crashes/id:000157,sig:04,src:000055,time:3158020,op:MOpt_havoc,rep:128':
  Duration: 00:00:00.98, bitrate: 48 kb/s
    Stream #0:0: Audio: adpcm_ms ([2][0][0][0] / 0x0002), 11246 Hz, 65281 channels, 2936600 kb/s
Automatic encoder selection failed for output stream #0:0. Default encoder for format mp3 (codec mp3) is probably disabled. Please choose an encoder manually.
Error selecting an encoder for stream 0:0

Attachments (1)

id:000157,sig:04,src:000055,time:3158020,op:MOpt_havoc,rep:128 (5.8 KB ) - added by andreafioraldi 5 years ago.

Download all attachments as: .zip

Change History (3)

comment:1 by Carl Eugen Hoyos, 5 years ago

Keywords: wav ubsan added

comment:2 by mkver, 3 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.