fix signed integer overflow detected by oss-fuzz

2020-09-14 17:28:06 +08:00 · 2020-09-14 17:28:06 +08:00 · b73039fdfb
commit b73039fdfb
parent de273a225b
2 changed files with 132 additions and 1 deletions
--- a/backport-math_approx-use-unsigned-int-for-LCG-pseudorandom-ge.patch
+++ b/backport-math_approx-use-unsigned-int-for-LCG-pseudorandom-ge.patch
@ -0,0 +1,123 @@
+From c1f82d214872cae4a60c2594cc8c53d11246e3a9 Mon Sep 17 00:00:00 2001
+From: Tristan Matthews <tmatth@videolan.org>
+Date: Sat, 2 Mar 2019 00:50:35 -0500
+Subject: [PATCH] math_approx: use unsigned int for LCG pseudorandom generator
+
+This avoids an integer overflow.
+---
+ libspeex/cb_search.c   | 4 ++--
+ libspeex/cb_search.h   | 4 ++--
+ libspeex/math_approx.h | 4 ++--
+ libspeex/modes.h       | 2 +-
+ libspeex/nb_celp.h     | 2 +-
+ libspeex/sb_celp.h     | 2 +-
+ 6 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/libspeex/cb_search.c b/libspeex/cb_search.c
+index 63f4c6a..9629772 100644
+--- a/libspeex/cb_search.c
+++ b/libspeex/cb_search.c
+@@ -517,7 +517,7 @@ const void *par,                      /* non-overlapping codebook */
+ int   nsf,                      /* number of samples in subframe */
+ SpeexBits *bits,
+ char *stack,
+-spx_int32_t *seed
+spx_uint32_t *seed
+ )
+ {
+    int i,j;
+@@ -602,7 +602,7 @@ const void *par,                      /* non-overlapping codebook */
+ int   nsf,                      /* number of samples in subframe */
+ SpeexBits *bits,
+ char *stack,
+-spx_int32_t *seed
+spx_uint32_t *seed
+ )
+ {
+    int i;
+diff --git a/libspeex/cb_search.h b/libspeex/cb_search.h
+index 7687b45..eb45b56 100644
+--- a/libspeex/cb_search.h
+++ b/libspeex/cb_search.h
+@@ -70,7 +70,7 @@ const void *par,                /* non-overlapping codebook */
+ int   nsf,                      /* number of samples in subframe */
+ SpeexBits *bits,
+ char *stack,
+-spx_int32_t *seed
+spx_uint32_t *seed
+ );
+ 
+ 
+@@ -97,7 +97,7 @@ const void *par,                /* non-overlapping codebook */
+ int   nsf,                      /* number of samples in subframe */
+ SpeexBits *bits,
+ char *stack,
+-spx_int32_t *seed
+spx_uint32_t *seed
+ );
+ 
+ #endif
+diff --git a/libspeex/math_approx.h b/libspeex/math_approx.h
+index 9ca8307..6573113 100644
+--- a/libspeex/math_approx.h
+++ b/libspeex/math_approx.h
+@@ -46,7 +46,7 @@
+ #define spx_atan atan
+ 
+ /** Generate a pseudo-random number */
+-static inline spx_word16_t speex_rand(spx_word16_t std, spx_int32_t *seed)
+static inline spx_word16_t speex_rand(spx_word16_t std, spx_uint32_t *seed)
+ {
+    const unsigned int jflone = 0x3f800000;
+    const unsigned int jflmsk = 0x007fffff;
+@@ -119,7 +119,7 @@ static inline spx_int16_t spx_ilog4(spx_uint32_t x)
+ #ifdef FIXED_POINT
+ 
+ /** Generate a pseudo-random number */
+-static inline spx_word16_t speex_rand(spx_word16_t std, spx_int32_t *seed)
+static inline spx_word16_t speex_rand(spx_word16_t std, spx_uint32_t *seed)
+ {
+    spx_word32_t res;
+    *seed = 1664525 * *seed + 1013904223;
+diff --git a/libspeex/modes.h b/libspeex/modes.h
+index 26e2d86..0ae19cc 100644
+--- a/libspeex/modes.h
+++ b/libspeex/modes.h
+@@ -86,7 +86,7 @@ typedef void (*innovation_quant_func)(spx_word16_t *, spx_coef_t *, spx_coef_t *
+                                       spx_sig_t *, spx_word16_t *, SpeexBits *, char *, int, int);
+ 
+ /** Innovation unquantization function */
+-typedef void (*innovation_unquant_func)(spx_sig_t *, const void *, int, SpeexBits*, char *, spx_int32_t *);
+typedef void (*innovation_unquant_func)(spx_sig_t *, const void *, int, SpeexBits*, char *, spx_uint32_t *);
+ 
+ /** Description of a Speex sub-mode (wither narrowband or wideband */
+ typedef struct SpeexSubmode {
+diff --git a/libspeex/nb_celp.h b/libspeex/nb_celp.h
+index 14c776f..41ccd15 100644
+--- a/libspeex/nb_celp.h
+++ b/libspeex/nb_celp.h
+@@ -153,7 +153,7 @@ typedef struct DecState {
+    spx_word16_t  last_pitch_gain; /**< Pitch gain of last correctly decoded frame */
+    spx_word16_t  pitch_gain_buf[3]; /**< Pitch gain of last decoded frames */
+    int    pitch_gain_buf_idx;   /**< Tail of the buffer */
+-   spx_int32_t seed;            /** Seed used for random number generation */
+   spx_uint32_t seed;            /** Seed used for random number generation */
+    
+    int    encode_submode;
+    const SpeexSubmode * const *submodes; /**< Sub-mode data */
+diff --git a/libspeex/sb_celp.h b/libspeex/sb_celp.h
+index e8c3761..24a2801 100644
+--- a/libspeex/sb_celp.h
+++ b/libspeex/sb_celp.h
+@@ -121,7 +121,7 @@ typedef struct SBDecState {
+    spx_word16_t *innov_save;      /** If non-NULL, innovation is copied here */
+    
+    spx_word16_t last_ener;
+-   spx_int32_t seed;
+   spx_uint32_t seed;
+ 
+    int    encode_submode;
+    const SpeexSubmode * const *submodes;
+-- 
+2.23.0
+
--- a/speex.spec
+++ b/speex.spec
@ -1,11 +1,13 @@
 Name:		speex
 Version:	1.2.0
-Release:	4
+Release:	5
 Summary:	A Free Codec For Free Speech
 License:	BSD
 URL:		https://www.speex.org/
 Source0:	http://downloads.us.xiph.org/releases/speex/%{name}-%{version}.tar.gz

+Patch6000: backport-math_approx-use-unsigned-int-for-LCG-pseudorandom-ge.patch
+
 BuildRequires: gcc git pkgconfig(ogg) pkgconfig(speexdsp)

 Obsoletes: %{name}-tools
@ -67,6 +69,12 @@ This package is the development and  files for speex.
 %{_mandir}/man1/speexdec.1.gz

 %changelog
+* Mon Sep 14 2020 shangyibin<shangyibin1@huawei.com> - 1.2.0-5
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:fix signed integer overflow detected by oss-fuzz 
+
 * Fri Sep 27 2019 shenyangyang<shenyangyang4@huawei.com> - 1.2.0-4
 - Type:enhancement
 - ID:NA