FFMPEG: signed integer overflow in [@implicit_weight_table]

RESOLVED FIXED

Status

()

Core
Audio/Video: Playback
P2
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: tsmith, Assigned: gerald)

Tracking

(Blocks: 1 bug, {testcase})

Trunk
testcase
Points:
---

Firefox Tracking Flags

(firefox45 affected)

Details

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
Created attachment 8695675 [details]
call_stack.txt

Found fuzzing ffmpeg commit: 259c71c199e9b4ea89bf4cb90ed0e207ddc9dff7

This is an Undefined behavior sanitizer (UBSan) runtime error.

Looks like there are two in this function:
libavcodec/h264_slice.c:786:36: runtime error: signed integer overflow: 2147483647 + 65545 cannot be represented in type 'int'

libavcodec/h264_slice.c:812:46: runtime error: signed integer overflow: -8 - 2147483647 cannot be represented in type 'int'

Run this command with an UBSan build:
$ ./ffmpeg -v 0 -nostats -f h264 -i test_case.264 -f null -
(Reporter)

Comment 1

2 years ago
Created attachment 8695676 [details]
test_case.264
Michael, did you see this one?
Flags: needinfo?(michael)
Priority: -- → P1
Assigning to Gerald to make sure this gets followed-up.
Assignee: nobody → gsquelart
seems i missed or forgot about this one
Should be fixed 7cc01c25727a96eaaa0c177234b626e47c8ea491
does not look security relevant
Flags: needinfo?(michael)
(Reporter)

Updated

2 years ago
Blocks: 1240080
(Reporter)

Updated

2 years ago
No longer blocks: 1240080
Priority: P1 → P2
(Assignee)

Comment 5

2 years ago
As per comment 4, fixed in https://github.com/FFmpeg/FFmpeg/commit/7cc01c25727a96eaaa0c177234b626e47c8ea491
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.