From e7d8591ff208803eee35dc289e89a0d69b707585 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Sat, 1 Feb 2020 22:13:18 +0200 Subject: Don't use an enum for a value read directly from the bitstream The enum doesn't cover all possible values read from the bitstream. This fixes undefined behaviour sanitizer errors. Fixes: 20376/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-4785514974806016.dms Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libMpegTPDec/src/tpdec_asc.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'libMpegTPDec/src/tpdec_asc.cpp') diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index 28bc22d..0f80a4b 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -1628,14 +1628,14 @@ static TRANSPORTDEC_ERROR configExtension(CSUsacConfig *usc, TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK; int numConfigExtensions; - CONFIG_EXT_ID usacConfigExtType; + int usacConfigExtType; int usacConfigExtLength; numConfigExtensions = (int)escapedValue(hBs, 2, 4, 8) + 1; for (int confExtIdx = 0; confExtIdx < numConfigExtensions; confExtIdx++) { INT nbits; int loudnessInfoSetConfigExtensionPosition = FDKgetValidBits(hBs); - usacConfigExtType = (CONFIG_EXT_ID)escapedValue(hBs, 4, 8, 16); + usacConfigExtType = escapedValue(hBs, 4, 8, 16); usacConfigExtLength = (int)escapedValue(hBs, 4, 8, 16); /* Start bit position of config extension */ -- cgit v1.2.3 From 5aa57d363353a635c4ee877ff4f2351f17ded59b Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Thu, 4 Jun 2020 09:46:46 +0300 Subject: Don't use an enum for a value read directly from the bitstream The enum doesn't cover all possible values read from the bitstream. This fixes undefined behaviour sanitizer errors. Fixes: 22486/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5735284884111360 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libMpegTPDec/src/tpdec_asc.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'libMpegTPDec/src/tpdec_asc.cpp') diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index 0f80a4b..b10602d 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -1325,7 +1325,7 @@ static TRANSPORTDEC_ERROR EldSpecificConfig_Parse(CSAudioSpecificConfig *asc, CSTpCallBacks *cb) { TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK; CSEldSpecificConfig *esc = &asc->m_sc.m_eldSpecificConfig; - ASC_ELD_EXT_TYPE eldExtType; + int eldExtType; int eldExtLen, len, cnt, ldSbrLen = 0, eldExtLenSum, numSbrHeader = 0, sbrIndex; @@ -1395,7 +1395,7 @@ static TRANSPORTDEC_ERROR EldSpecificConfig_Parse(CSAudioSpecificConfig *asc, esc->m_downscaledSamplingFrequency = asc->m_samplingFrequency; /* parse ExtTypeConfigData */ while ( - ((eldExtType = (ASC_ELD_EXT_TYPE)FDKreadBits(hBs, 4)) != ELDEXT_TERM) && + ((eldExtType = FDKreadBits(hBs, 4)) != ELDEXT_TERM) && ((INT)FDKgetValidBits(hBs) >= 0)) { eldExtLen = len = FDKreadBits(hBs, 4); if (len == 0xf) { -- cgit v1.2.3 From 8439b745f65bce3fd55ffc9f9edcc04f5f447c55 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Fri, 17 Jul 2020 22:51:34 +0300 Subject: Don't use an enum for a value read directly from the bitstream The enum doesn't cover all possible values read from the bitstream. This fixes undefined behaviour sanitizer errors. Fixes: 23719/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LIBFDK_AAC_fuzzer-5111020367642624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libMpegTPDec/src/tpdec_asc.cpp | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'libMpegTPDec/src/tpdec_asc.cpp') diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index b10602d..8868b22 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -1546,8 +1546,7 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement, const AUDIO_OBJECT_TYPE aot) { TRANSPORTDEC_ERROR ErrorStatus = TRANSPORTDEC_OK; - USAC_EXT_ELEMENT_TYPE usacExtElementType = - (USAC_EXT_ELEMENT_TYPE)escapedValue(hBs, 4, 8, 16); + int usacExtElementType = escapedValue(hBs, 4, 8, 16); /* recurve extension elements which are invalid for USAC */ if (aot == AOT_USAC) { @@ -1564,7 +1563,7 @@ static TRANSPORTDEC_ERROR extElementConfig(CSUsacExtElementConfig *extElement, } } - extElement->usacExtElementType = usacExtElementType; + extElement->usacExtElementType = (USAC_EXT_ELEMENT_TYPE) usacExtElementType; int usacExtElementConfigLength = escapedValue(hBs, 4, 8, 16); extElement->usacExtElementConfigLength = (USHORT)usacExtElementConfigLength; INT bsAnchor; -- cgit v1.2.3