Re: [FFmpeg-devel] [PATCH 1/2] avcodec/adpcm_data: extend ff_adpcm_ima_cunning_index_table
On Fri, May 29, 2020 at 03:47:03AM +, Zane van Iperen wrote: > On Thu, 28 May 2020 18:44:55 +0200 > "Michael Niedermayer" wrote: > > > > > The index table should only ever be indexed between [0,7], so this > > > looks like a bug in adpcm_ima_cunning_expand_nibble() instead. > > > > maybe it should be only 0..7 but abs(-8 .. 7) needs a 8th entrty or a > > check > > > > > > > > > > Where would one go to see the inputs for this? I'd like to > > > investigate (and test against the original decoder). > > > > The file is from a fuzzer so is random trash and it needs > > target_dec_fuzzer.c to be read. It wont be read as "Pro Pinball > > Series Soundbank" so i think that file will not be useful to test the > > behavior of the original decoder as i would assume it will not accept > > the target_dec_fuzzer data but i surely can send it to you privatly > > if you need it. just say if you want me to send you the file > > > > No need, I've found an existing file that has the same problem. Out of > all the 453 files I have, only one of them triggers this. > > tl;dr: Change the 5 to -1. > > > ff_adpcm_ima_cunning_index_table[abs(nibble)] is wrong in the case > where nibble == -8. > > If you take the unsigned nibble, and apply f(): > f(x) = 16 - x if x > 8 else x & 0x7 > > you'll get the same value as abs() applied with the signed nibble, > except for this one case (abs(-8) == 8, f(8) == 0). > > > Instead of changing the abs(), a cleaner fix is to simply change the 5 > to -1. That should give the correct output. will apply with -1 thanks [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB I have never wished to cater to the crowd; for what I know they do not approve, and what they approve I do not know. -- Epicurus signature.asc Description: PGP signature ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 1/2] avcodec/adpcm_data: extend ff_adpcm_ima_cunning_index_table
On Thu, 28 May 2020 18:44:55 +0200 "Michael Niedermayer" wrote: > > The index table should only ever be indexed between [0,7], so this > > looks like a bug in adpcm_ima_cunning_expand_nibble() instead. > > maybe it should be only 0..7 but abs(-8 .. 7) needs a 8th entrty or a > check > > > > > > Where would one go to see the inputs for this? I'd like to > > investigate (and test against the original decoder). > > The file is from a fuzzer so is random trash and it needs > target_dec_fuzzer.c to be read. It wont be read as "Pro Pinball > Series Soundbank" so i think that file will not be useful to test the > behavior of the original decoder as i would assume it will not accept > the target_dec_fuzzer data but i surely can send it to you privatly > if you need it. just say if you want me to send you the file > No need, I've found an existing file that has the same problem. Out of all the 453 files I have, only one of them triggers this. tl;dr: Change the 5 to -1. ff_adpcm_ima_cunning_index_table[abs(nibble)] is wrong in the case where nibble == -8. If you take the unsigned nibble, and apply f(): f(x) = 16 - x if x > 8 else x & 0x7 you'll get the same value as abs() applied with the signed nibble, except for this one case (abs(-8) == 8, f(8) == 0). Instead of changing the abs(), a cleaner fix is to simply change the 5 to -1. That should give the correct output. Zane ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 1/2] avcodec/adpcm_data: extend ff_adpcm_ima_cunning_index_table
On Thu, May 28, 2020 at 02:06:32PM +, Zane van Iperen wrote: > On Thu, 28 May 2020 14:12:33 +0200 > "Michael Niedermayer" wrote: > > > > > Fixes: overread by 1 > > Fixes: > > 21880/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_CUNNING_fuzzer-5717917221257216.fuzz > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > > > -const int8_t ff_adpcm_ima_cunning_index_table[8] = { > > --1, -1, -1, -1, 1, 2, 3, 4, > > +const int8_t ff_adpcm_ima_cunning_index_table[9] = { > > +-1, -1, -1, -1, 1, 2, 3, 4, 5 > > }; > > > The index table should only ever be indexed between [0,7], so this > looks like a bug in adpcm_ima_cunning_expand_nibble() instead. maybe it should be only 0..7 but abs(-8 .. 7) needs a 8th entrty or a check > > Where would one go to see the inputs for this? I'd like to investigate > (and test against the original decoder). The file is from a fuzzer so is random trash and it needs target_dec_fuzzer.c to be read. It wont be read as "Pro Pinball Series Soundbank" so i think that file will not be useful to test the behavior of the original decoder as i would assume it will not accept the target_dec_fuzzer data but i surely can send it to you privatly if you need it. just say if you want me to send you the file Thanks [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB He who knows, does not speak. He who speaks, does not know. -- Lao Tsu signature.asc Description: PGP signature ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 1/2] avcodec/adpcm_data: extend ff_adpcm_ima_cunning_index_table
On Thu, 28 May 2020 14:12:33 +0200 "Michael Niedermayer" wrote: > > Fixes: overread by 1 > Fixes: > 21880/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_CUNNING_fuzzer-5717917221257216.fuzz > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > -const int8_t ff_adpcm_ima_cunning_index_table[8] = { > --1, -1, -1, -1, 1, 2, 3, 4, > +const int8_t ff_adpcm_ima_cunning_index_table[9] = { > +-1, -1, -1, -1, 1, 2, 3, 4, 5 > }; > The index table should only ever be indexed between [0,7], so this looks like a bug in adpcm_ima_cunning_expand_nibble() instead. Where would one go to see the inputs for this? I'd like to investigate (and test against the original decoder). Zane ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 1/2] avcodec/adpcm_data: extend ff_adpcm_ima_cunning_index_table
Fixes: overread by 1 Fixes: 21880/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ADPCM_IMA_CUNNING_fuzzer-5717917221257216.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/adpcm_data.c | 4 ++-- libavcodec/adpcm_data.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libavcodec/adpcm_data.c b/libavcodec/adpcm_data.c index cb9d20948e..6fbde8aece 100644 --- a/libavcodec/adpcm_data.c +++ b/libavcodec/adpcm_data.c @@ -178,8 +178,8 @@ const int16_t ff_adpcm_mtaf_stepsize[32][16] = { -424, -1273, -2121, -2970, -3819, -4668, -5516, -6365, }, }; -const int8_t ff_adpcm_ima_cunning_index_table[8] = { --1, -1, -1, -1, 1, 2, 3, 4, +const int8_t ff_adpcm_ima_cunning_index_table[9] = { +-1, -1, -1, -1, 1, 2, 3, 4, 5 }; const int16_t ff_adpcm_ima_cunning_step_table[61] = { diff --git a/libavcodec/adpcm_data.h b/libavcodec/adpcm_data.h index fa8a03ee1f..d678bfc71a 100644 --- a/libavcodec/adpcm_data.h +++ b/libavcodec/adpcm_data.h @@ -42,7 +42,7 @@ extern const int16_t ff_adpcm_yamaha_indexscale[]; extern const int8_t ff_adpcm_yamaha_difflookup[]; extern const int16_t ff_adpcm_afc_coeffs[2][16]; extern const int16_t ff_adpcm_mtaf_stepsize[32][16]; -extern const int8_t ff_adpcm_ima_cunning_index_table[8]; +extern const int8_t ff_adpcm_ima_cunning_index_table[9]; extern const int16_t ff_adpcm_ima_cunning_step_table[61]; #endif /* AVCODEC_ADPCM_DATA_H */ -- 2.17.1 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".