Opened 5 years ago
Closed 5 years ago
#8335 closed defect (fixed)
Integer divide by zero in libavformat/bintext.c
Reported by: | andreafioraldi | Owned by: | |
---|---|---|---|
Priority: | important | Component: | avformat |
Version: | git-master | Keywords: | bintext crash fpe |
Cc: | Blocked By: | ||
Blocking: | Reproduced by developer: | yes | |
Analyzed by developer: | no |
Description
Hi, I found this bug while fuzzing.
It is a division by zero in predict_width() of libavformat/bintext.c.
The bug affects ffmpeg 4.2.1 as well the git-master.
The Valgrind output is:
valgrind ../FFmpeg/ffmpeg_g -y -i out/ffmpeg/weizz_rq_1571070675/crashes/id:000004,sig:08,src:015475,time:156881952,op:cmpdata,pos:98,val:be:+2 -c:v mpeg4 -c:a out.mp4 ==32974== Memcheck, a memory error detector ==32974== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==32974== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==32974== Command: ../FFmpeg/ffmpeg_g -y -i out/ffmpeg/weizz_rq_1571070675/crashes/id:000004,sig:08,src:015475,time:156881952,op:cmpdata,pos:98,val:be:+2 -c:v mpeg4 -c:a out.mp4 ==32974== ffmpeg version N-95553-g155508c6e9 Copyright (c) 2000-2019 the FFmpeg developers built with gcc 6.3.0 (Debian 6.3.0-18+deb9u1) 20170516 configuration: --enable-debug libavutil 56. 35.101 / 56. 35.101 libavcodec 58. 59.102 / 58. 59.102 libavformat 58. 33.100 / 58. 33.100 libavdevice 58. 9.100 / 58. 9.100 libavfilter 7. 65.100 / 7. 65.100 libswscale 5. 6.100 / 5. 6.100 libswresample 3. 6.100 / 3. 6.100 Trailing option(s) found in the command: may be ignored. [bin @ 0x70b5640] Format bin detected only with low score of 1, misdetection possible! ==32974== ==32974== Process terminating with default action of signal 8 (SIGFPE) ==32974== Integer divide by zero at address 0x806925EF7 ==32974== at 0x45FB21: predict_width (bintext.c:125) ==32974== by 0x45FB21: bintext_read_header (bintext.c:197) ==32974== by 0x57C740: avformat_open_input (utils.c:633) ==32974== by 0x27D6D4: open_input_file (ffmpeg_opt.c:1105) ==32974== by 0x27F46D: open_files (ffmpeg_opt.c:3283) ==32974== by 0x27F46D: ffmpeg_parse_options (ffmpeg_opt.c:3323) ==32974== by 0x2773A6: main (ffmpeg.c:4863) ==32974== ==32974== HEAP SUMMARY: ==32974== in use at exit: 38,913 bytes in 51 blocks ==32974== total heap usage: 90 allocs, 39 frees, 78,778 bytes allocated ==32974== ==32974== LEAK SUMMARY: ==32974== definitely lost: 0 bytes in 0 blocks ==32974== indirectly lost: 0 bytes in 0 blocks ==32974== possibly lost: 0 bytes in 0 blocks ==32974== still reachable: 38,913 bytes in 51 blocks ==32974== suppressed: 0 bytes in 0 blocks ==32974== Rerun with --leak-check=full to see details of leaked memory ==32974== ==32974== For counts of detected and suppressed errors, rerun with: -v ==32974== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) Floating point exception
The testcase that triggers the bug is the following (in base64):
VE1BU0FVQ0UwMEkgTElTVOz8AAAAAAIAAAAAAAAAAOdLSVNUlBAT/3N0cmxzdAAAAHsaRd+j8A
ZHt9fQAQAAEF6AABAAD5/vwAAAAAAAAEAAAAAAAAAExJU1SUEAAAAAUBAAABABUAAQCAAGkBAAAB
ZHNGAAAAAAMfYkEAowAAlOI=
Regards,
Andrea
Attachments (1)
Change History (3)
by , 5 years ago
Attachment: | id:000004,sig:08,src:015475,time:156881952,op:cmpdata,pos:98,val:be:+2 added |
---|
comment:1 by , 5 years ago
Keywords: | bintext crash fpe added; division zero removed |
---|---|
Reproduced by developer: | set |
Status: | new → open |
Version: | 4.2 → git-master |
comment:2 by , 5 years ago
Resolution: | → fixed |
---|---|
Status: | open → closed |
Fixed by Paul in 9d711a90fdf379dca2b3d24893c820c3060b5d94
Note:
See TracTickets
for help on using tickets.
Testcase that triggers the bug