Hi All, We had crashes in prod while compressing audio with G.723.1 using ffmpeg as a library. The callstack was:
fcb_search, line 1027
ff_encode_encode_cb, line 253
encode_simple_internal, line 339
avcodec_send_frame, line 530
After debugging the issue I found that the crash is caused by FCBParam optim;
being uninitialized in fcb_search().
The context of fcb_search(), line 1027 in libavcodec\g723_1enc.c:
/* Reconstruct the excitation */
memset(buf, 0, sizeof(int16_t) * SUBFRAME_LEN);
for (i = 0; i < pulse_cnt; i++)
buf[optim.pulse_pos[i]] = optim.pulse_sign[i];
The last line is 1027, the crash is caused by out of bounds indexing buf with
the values in optim.pulse_pos (pulse_cnt is either 5 or 6, and the size of
FCBParam::pulse_sign and pulse_pos is PULSE_MAX (6)).
The local variable optim is not initialized in fcb_search(). In get_fcb_param()
it's assigned at the end of the function in the /* Minimize */ part, but only
if (err < optim->min_err), where optim.min_err = 1 << 30;. err is calculated
above that in the /* Compute square of error */ part, by clamping a 64 bit int
to 32 bits, so it can easily be larger than 1 << 30. If this happens in all the
iterations in get_fcb_param(), then optim is not initialized, and buf is
indexed by an uninitialized variable, which caused the crashes.
The fix is to initialize optim in fcb_search(). After we applied the patch to
ffmpeg, the compressions did not crash anymore.
Note: this only fixes the crash by ensuring the indices are in the valid range,
it doesn't make them correct.
Thanks,
Zsolt
This electronic message may contain proprietary and confidential information of
Verint Systems Inc., its affiliates and/or subsidiaries. The information is
intended to be for the use of the individual(s) or entity(ies) named above. If
you are not the intended recipient (or authorized to receive this e-mail for
the intended recipient), you may not use, copy, disclose or distribute to
anyone this message or any information contained in this message. If you have
received this electronic message in error, please notify us by replying to this
e-mail.
0001-libavcodec-g723_1enc-fix-crash.patch
Description: 0001-libavcodec-g723_1enc-fix-crash.patch
_______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
