Skip to content
GitLab
Open
Created by Michael Niedermayer@michaelni

Invalid shift in oggpack_read()

ossfuzz of ffmpeg - libvorbis (which uses libogg) possibly found a bug in libogg

bitwise.c:396:23: runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
    #0 0x7f3378 in oggpack_read /src/ogg/src/bitwise.c:396:23
    #1 0x7cb1eb in _vorbis_unpack_info /src/vorbis/lib/info.c:212:15
    #2 0x7cb0f5 in vorbis_synthesis_headerin /src/vorbis/lib/info.c:409:16
    #3 0x4c2d82 in oggvorbis_decode_init /src/ffmpeg/libavcodec/libvorbisdec.c:108:12

The code is possibly in need of a cast to unsigned but i have not looked deeply into it. The full report and 2 testcases are at the link below (this is possible not publically accessible but i can give access to this to anyone from xiph or libogg who wants to look into it). The testcase would require ffmpeg+ossfuzz+libvorbis+libogg in a bloated docker image though sadly, so iam not sure how useful that testcase would be. For me it does not reproduce outside docker. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18710