[FFmpeg-trac] #6712(avcodec:new): Type mismatch between vorbis_context_s::audio_samplerate and AVCodecContext::sample_rate

FFmpeg trac at avcodec.org
Tue Oct 3 01:02:30 EEST 2017 

#6712: Type mismatch between vorbis_context_s::audio_samplerate and
AVCodecContext::sample_rate
----------------------------------+--------------------------------------
             Reporter:  jrummell  |                     Type:  defect
               Status:  new       |                 Priority:  normal
            Component:  avcodec   |                  Version:  git-master
             Keywords:            |               Blocked By:
             Blocking:            |  Reproduced by developer:  0
Analyzed by developer:  0         |
----------------------------------+--------------------------------------
 vorbis_parse_id_hdr() extracts the audio sample rate into
 vorbis_context_s::audio_samplerate, which is a uint32_t. This seems to
 match what's in the
 [https://xiph.org/vorbis/doc/Vorbis_I_spec.html#x1-610004.2 spec]).
 However, later on, when passing the value in AVCodecContext::sample_rate,
 it does a conversion to int without checking. As a result, Vorbis headers
 with a large audio sample rate end up passing a negative value in
 |sample_rate|.

 This was discovered by Chromium's fuzzers (http://crbug.com/762479).

 This also happens for |audio_channels|, although it is a uint8_t converted
 to an int so it's not a problem.

 Repro. ffmpeg notes that the sample_rate is negative.
 {{{
 ffmpeg -i clusterfuzz-testcase-6655114243997696 test.mp4
 ffmpeg version N-86098-g3fefaea Copyright (c) 2000-2017 the FFmpeg
 developers
   built with gcc 4.8 (Ubuntu 4.8.4-2ubuntu1~14.04.3)
   libavutil      55. 63.100 / 55. 63.100
   libavcodec     57. 96.101 / 57. 96.101
   libavformat    57. 72.101 / 57. 72.101
   libavdevice    57.  7.100 / 57.  7.100
   libavfilter     6. 89.101 /  6. 89.101
   libswscale      4.  7.101 /  4.  7.101
   libswresample   2.  8.100 /  2.  8.100
   libpostproc    54.  6.100 / 54.  6.100
 Input #0, matroska,webm, from 'clusterfuzz-testcase-6655114243997696':
   Metadata:
     encoder         : Lavf55.37.102
   Duration: 00:00:02.77, start: 0.000000, bitrate: 14 kb/s
     Stream #0:0: Audio: vorbis, -33506432 Hz, stereo, fltp (default)
 Stream mapping:
   Stream #0:0 -> #0:0 (vorbis (native) -> aac (native))
 Press [q] to stop, [?] for help
 [vorbis @ 0x298a800] Sample rate -33506432 invalid
 Error while processing the decoded data for stream #0:0
 Conversion failed!
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/6712>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list