#11686(swscale:new): [Security] signed integer overflow on libswscale/output.c
#11686: [Security] signed integer overflow on libswscale/output.c -------------------------------------+------------------------------------- Reporter: flyfish101 | Type: defect Status: new | Priority: critical Component: swscale | Version: git- Keywords: swscale , | master overflow | Blocked By: Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | -------------------------------------+------------------------------------- Summary of the bug: signed integer overflow poc: [https://drive.google.com/file/d/1afws3WCzvRBc213jnIMfz_96MFNglGzd/view?usp=s...] fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout$ ./target_sws_fuzzer /home/fuzz/Desktop/langgraph/testpro/AFL- Agent/utils_c_389 Reading 339 bytes from /home/fuzz/Desktop/langgraph/testpro/AFL- Agent/utils_c_389 2 x 3 yuva420p10le -> 26 x 3 bgra64le libswscale/output.c:1325:33: runtime error: signed integer overflow: -3421696 * 2048 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1325:33 in libswscale/output.c:1325:55: runtime error: signed integer overflow: -3421696 * 2048 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1325:55 in libswscale/output.c:1325:44: runtime error: signed integer overflow: 1582301184 + 1582301184 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1325:44 in libswscale/output.c:1325:65: runtime error: signed integer overflow: -1130364928 - 1073741824 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1325:65 in libswscale/output.c:1326:55: runtime error: signed integer overflow: -3487744 * 2048 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1326:55 in libswscale/output.c:1326:44: runtime error: signed integer overflow: 1073739776 + 1447034880 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1326:44 in libswscale/output.c:1326:65: runtime error: signed integer overflow: -1774192640 - 1073741824 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1326:65 in Execution successful. -- Ticket URL: <https://trac.ffmpeg.org/ticket/11686> FFmpeg <https://ffmpeg.org> FFmpeg issue tracker
#11686: [Security] signed integer overflow on libswscale/output.c -------------------------------------+------------------------------------- Reporter: flyfish101 | Owner: (none) Type: defect | Status: new Priority: critical | Component: swscale Version: git-master | Resolution: Keywords: swscale , | Blocked By: overflow | Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | -------------------------------------+------------------------------------- Changes (by flyfish101): * Attachment "sws_int_overflow" added. poc file -- Ticket URL: <https://trac.ffmpeg.org/ticket/11686> FFmpeg <https://ffmpeg.org> FFmpeg issue tracker
#11686: [Security] signed integer overflow on libswscale/output.c -------------------------------------+------------------------------------- Reporter: flyfish101 | Owner: (none) Type: defect | Status: new Priority: important | Component: swscale Version: git-master | Resolution: Keywords: swscale , | Blocked By: overflow | Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | -------------------------------------+------------------------------------- Changes (by flyfish101): * priority: critical => important Old description:
Summary of the bug: signed integer overflow
poc: [https://drive.google.com/file/d/1afws3WCzvRBc213jnIMfz_96MFNglGzd/view?usp=s...]
fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout$ ./target_sws_fuzzer /home/fuzz/Desktop/langgraph/testpro/AFL- Agent/utils_c_389 Reading 339 bytes from /home/fuzz/Desktop/langgraph/testpro/AFL- Agent/utils_c_389 2 x 3 yuva420p10le -> 26 x 3 bgra64le libswscale/output.c:1325:33: runtime error: signed integer overflow: -3421696 * 2048 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1325:33 in libswscale/output.c:1325:55: runtime error: signed integer overflow: -3421696 * 2048 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1325:55 in libswscale/output.c:1325:44: runtime error: signed integer overflow: 1582301184 + 1582301184 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1325:44 in libswscale/output.c:1325:65: runtime error: signed integer overflow: -1130364928 - 1073741824 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1325:65 in libswscale/output.c:1326:55: runtime error: signed integer overflow: -3487744 * 2048 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1326:55 in libswscale/output.c:1326:44: runtime error: signed integer overflow: 1073739776 + 1447034880 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1326:44 in libswscale/output.c:1326:65: runtime error: signed integer overflow: -1774192640 - 1073741824 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1326:65 in Execution successful.
New description: Summary of the bug: signed integer overflow version: 722a2170e83231283fc74bede495b3b4ee9591ac OS: Ubuntu 20.04LTS Compiler: clang-14 poc: [https://drive.google.com/file/d/1afws3WCzvRBc213jnIMfz_96MFNglGzd/view?usp=s...] fuzz@Fuzz2:~/Desktop/projects_oss/FFmpeg/tools/fuzzout$ ./target_sws_fuzzer /home/fuzz/Desktop/langgraph/testpro/AFL- Agent/utils_c_389 Reading 339 bytes from /home/fuzz/Desktop/langgraph/testpro/AFL- Agent/utils_c_389 2 x 3 yuva420p10le -> 26 x 3 bgra64le libswscale/output.c:1325:33: runtime error: signed integer overflow: -3421696 * 2048 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1325:33 in libswscale/output.c:1325:55: runtime error: signed integer overflow: -3421696 * 2048 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1325:55 in libswscale/output.c:1325:44: runtime error: signed integer overflow: 1582301184 + 1582301184 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1325:44 in libswscale/output.c:1325:65: runtime error: signed integer overflow: -1130364928 - 1073741824 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1325:65 in libswscale/output.c:1326:55: runtime error: signed integer overflow: -3487744 * 2048 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1326:55 in libswscale/output.c:1326:44: runtime error: signed integer overflow: 1073739776 + 1447034880 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1326:44 in libswscale/output.c:1326:65: runtime error: signed integer overflow: -1774192640 - 1073741824 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libswscale/output.c:1326:65 in Execution successful. -- -- Ticket URL: <https://trac.ffmpeg.org/ticket/11686#comment:1> FFmpeg <https://ffmpeg.org> FFmpeg issue tracker
#11686: [Security] signed integer overflow on libswscale/output.c -------------------------------------+------------------------------------- Reporter: flyfish101 | Owner: (none) Type: defect | Status: closed Priority: important | Component: swscale Version: git-master | Resolution: Keywords: swscale , | worksforme overflow | Blocked By: Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | -------------------------------------+------------------------------------- Changes (by Michael Niedermayer): * cc: Michael Niedermayer, Niklas Haas (added) * resolution: => worksforme * status: new => closed Comment: Not replicatable with the file provided, neither on x86-64 nor 32 also the case you show does not use a testcase, but runs multiple iterations. That does not match a single testcase you provide. PLease reopen this when you verified that the testcase you provide actually replicates an issue {{{ tools/target_sws_fuzzer /home/michael/tickets/11686/sws_int_overflow INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 4187154971 INFO: Loaded 1 modules (324580 inline 8-bit counters): 324580 [0x3e38a43, 0x3e87e27), INFO: Loaded 1 PC tables (324580 PCs): 324580 [0x350adf8,0x39fec38), tools/target_sws_fuzzer: Running 1 inputs 1 time(s) each. Running: /home/michael/tickets/11686/sws_int_overflow 2 x 3 yuva420p10le -> 26 x 3 bgra64le Executed /home/michael/tickets/11686/sws_int_overflow in 3 ms *** *** NOTE: fuzzing was not performed, you have only *** executed the target code on a fixed set of inputs. *** }}} -- Ticket URL: <https://trac.ffmpeg.org/ticket/11686#comment:2> FFmpeg <https://ffmpeg.org> FFmpeg issue tracker
#11686: [Security] signed integer overflow on libswscale/output.c -------------------------------------+------------------------------------- Reporter: flyfish101 | Owner: (none) Type: defect | Status: closed Priority: important | Component: swscale Version: git-master | Resolution: Keywords: swscale , | worksforme overflow | Blocked By: Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | -------------------------------------+------------------------------------- Comment (by Michael Niedermayer): Also ill post a patch fixing this, no need to repost a better report -- Ticket URL: <https://trac.ffmpeg.org/ticket/11686#comment:3> FFmpeg <https://ffmpeg.org> FFmpeg issue tracker
#11686: [Security] signed integer overflow on libswscale/output.c -------------------------------------+------------------------------------- Reporter: flyfish101 | Owner: (none) Type: defect | Status: closed Priority: important | Component: swscale Version: git-master | Resolution: Keywords: swscale , | worksforme overflow | Blocked By: Blocking: | Reproduced by developer: 0 Analyzed by developer: 0 | -------------------------------------+------------------------------------- Comment (by Michael Niedermayer): https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20060 -- Ticket URL: <https://trac.ffmpeg.org/ticket/11686#comment:4> FFmpeg <https://ffmpeg.org> FFmpeg issue tracker
participants (1)
-
FFmpeg