[FFmpeg-trac] #3862(undetermined:new): wav: fpe (fuzzed file)

FFmpeg trac at avcodec.org
Sun Aug 17 03:21:32 CEST 2014 

#3862: wav: fpe (fuzzed file)
-------------------------------------+-------------------------------------
               Reporter:  ami_stuff  |                  Owner:
                   Type:  defect     |                 Status:  new
               Priority:  normal     |              Component:
                Version:             |  undetermined
  unspecified                        |               Keywords:
             Blocked By:             |               Blocking:
Reproduced by developer:  0          |  Analyzed by developer:  0
-------------------------------------+-------------------------------------
 {{{
 (gdb) r -i f.wav
 Starting program: /media/sdb1/ffmpeg-snapshot/ffmpeg_g -i f.wav
 [Thread debugging using libthread_db enabled]
 Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
 ffmpeg version 2.3.git Copyright (c) 2000-2014 the FFmpeg developers
   built on Aug 14 2014 23:56:56 with gcc 4.7 (Debian 4.7.2-5)
   configuration: --disable-yasm --enable-gpl --disable-ffserver --disable-
 ffprobe
   libavutil      54.  3.100 / 54.  3.100
   libavcodec     56.  0.101 / 56.  0.101
   libavformat    56.  1.100 / 56.  1.100
   libavdevice    56.  0.100 / 56.  0.100
   libavfilter     5.  0.100 /  5.  0.100
   libswscale      3.  0.100 /  3.  0.100
   libswresample   1.  0.100 /  1.  0.100
   libpostproc    53.  0.100 / 53.  0.100
 [wav @ 0x93af340] too big INFO subchunk

 Program received signal SIGFPE, Arithmetic exception.
 0x08a1261b in __divdi3 ()
 (gdb) bt
 #0  0x08a1261b in __divdi3 ()
 #1  0x0829a043 in wav_read_header (s=0x93af340) at
 libavformat/wavdec.c:405
 #2  0x08294543 in avformat_open_input (ps=ps at entry=0xbffff44c,
     filename=filename at entry=0xbffffb7b "f.wav", fmt=fmt at entry=0x0,
     options=0x93a884c) at libavformat/utils.c:437
 #3  0x080be28d in open_input_file (o=o at entry=0xbffff54c,
     filename=<optimized out>) at ffmpeg_opt.c:870
 #4  0x080b7d17 in open_files (inout=inout at entry=0x8a76cbb "input",
     open_file=open_file at entry=0x80bdf90 <open_input_file>,
     l=<error reading variable: Unhandled dwarf expression opcode 0xfa>,
     l=<error reading variable: Unhandled dwarf expression opcode 0xfa>)
     at ffmpeg_opt.c:2670
 #5  0x080bff09 in ffmpeg_parse_options (argc=argc at entry=3,
     argv=argv at entry=0xbffff9f4) at ffmpeg_opt.c:2707
 #6  0x080af43a in main (argc=3, argv=0xbffff9f4) at ffmpeg.c:3824
 (gdb)
 }}}

 {{{
 knoppix at Microknoppix:/media/sdb1$ valgrind --leak-check=full ffmpeg-
 snapshot/ffmpeg_g -i f.wav
 ==8353== Memcheck, a memory error detector
 ==8353== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
 ==8353== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
 ==8353== Command: ffmpeg-snapshot/ffmpeg_g -i f.wav
 ==8353==
 ffmpeg version 2.3.git Copyright (c) 2000-2014 the FFmpeg developers
   built on Aug 14 2014 23:56:56 with gcc 4.7 (Debian 4.7.2-5)
   configuration: --disable-yasm --enable-gpl --disable-ffserver --disable-
 ffprobe
   libavutil      54.  3.100 / 54.  3.100
   libavcodec     56.  0.101 / 56.  0.101
   libavformat    56.  1.100 / 56.  1.100
   libavdevice    56.  0.100 / 56.  0.100
   libavfilter     5.  0.100 /  5.  0.100
   libswscale      3.  0.100 /  3.  0.100
   libswresample   1.  0.100 /  1.  0.100
   libpostproc    53.  0.100 / 53.  0.100
 [wav @ 0x4226560] too big INFO subchunk
 ==8353==
 ==8353== Process terminating with default action of signal 8 (SIGFPE)
 ==8353==  Integer divide by zero at address 0x65A0A7AD
 ==8353==    at 0x8A12614: __divdi3 (in /media/sdb1/ffmpeg-
 snapshot/ffmpeg_g)
 ==8353==    by 0x829A042: wav_read_header (wavdec.c:405)
 ==8353==    by 0x8294542: avformat_open_input (utils.c:437)
 ==8353==    by 0x18: ???
 ==8353==
 ==8353== HEAP SUMMARY:
 ==8353==     in use at exit: 87,026 bytes in 52 blocks
 ==8353==   total heap usage: 80 allocs, 28 frees, 125,442 bytes allocated
 ==8353==
 ==8353== LEAK SUMMARY:
 ==8353==    definitely lost: 0 bytes in 0 blocks
 ==8353==    indirectly lost: 0 bytes in 0 blocks
 ==8353==      possibly lost: 0 bytes in 0 blocks
 ==8353==    still reachable: 87,026 bytes in 52 blocks
 ==8353==         suppressed: 0 bytes in 0 blocks
 ==8353== Reachable blocks (those to which a pointer was found) are not
 shown.
 ==8353== To see them, rerun with: --leak-check=full --show-reachable=yes
 ==8353==
 ==8353== For counts of detected and suppressed errors, rerun with: -v
 ==8353== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 59 from 6)
 Floating point exception
 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/3862>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list