[FFmpeg-trac] #8327(avcodec:new): divide by zero in libavcodec/tiff.c

FFmpeg trac at avcodec.org
Tue Oct 22 12:15:54 EEST 2019

#8327: divide by zero in libavcodec/tiff.c
             Reporter:  cstubbs  |                     Type:  defect
               Status:  new      |                 Priority:  normal
            Component:  avcodec  |                  Version:  unspecified
             Keywords:           |               Blocked By:
             Blocking:           |  Reproduced by developer:  0
Analyzed by developer:  0        |
 Summary of the bug:

 divide by zero while processing a fuzzed tiff file

 How to reproduce:
 % ffmpeg -i bdcdaac0fbbef8413cf23a4f67c033da1ff5e1fc.out -f null /dev/null

 ffmpeg version N-95495-gf7f4691 Copyright (c) 2000-2019 the FFmpeg
   built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
   configuration: --prefix=/home/chris/ffmpeg_build --pkg-config-
 flags=--static --extra-cflags=-I/home/chris/ffmpeg_build/include --extra-
 ldflags=-L/home/chris/ffmpeg_build/lib --extra-libs='-lpthread -lm'
 --bindir=/home/chris/bin --assert-level=2 --disable-ffplay --disable-
 ffprobe --disable-doc --disable-shared --cc=afl-clang --cxx=afl-clang++
 --enable-gpl --enable-libaom --enable-libass --enable-libfdk-aac --enable-
 libfreetype --enable-libmp3lame --enable-libopus --enable-libvorbis
 --enable-libvpx --enable-libx264 --enable-libx265 --enable-nonfree
   libavutil      56. 35.101 / 56. 35.101
   libavcodec     58. 59.102 / 58. 59.102
   libavformat    58. 33.100 / 58. 33.100
   libavdevice    58.  9.100 / 58.  9.100
   libavfilter     7. 64.100 /  7. 64.100
   libswscale      5.  6.100 /  5.  6.100
   libswresample   3.  6.100 /  3.  6.100
   libpostproc    55.  6.100 / 55.  6.100

 Program received signal SIGFPE, Arithmetic exception.
 0x00000000010391e7 in tiff_decode_tag (s=<optimized out>, frame=<optimized
     at libavcodec/tiff.c:1417
 1417                    s->black_level = value / value2;
 (gdb) bt
 #0  0x00000000010391e7 in tiff_decode_tag (s=<optimized out>,
 frame=<optimized out>)
     at libavcodec/tiff.c:1417
 #1  decode_frame (avctx=0x3539e80, data=<optimized out>,
     avpkt=0x353af00) at libavcodec/tiff.c:1772
 #2  0x0000000000ae4fad in decode_simple_internal (avctx=<optimized out>,
     frame=<optimized out>) at libavcodec/decode.c:432
 #3  decode_simple_receive_frame (avctx=<optimized out>, frame=<optimized
     at libavcodec/decode.c:628
 #4  decode_receive_frame_internal (avctx=0x3539e80, frame=0x353ab80)
     at libavcodec/decode.c:646
 #5  0x0000000000ae4d3a in avcodec_send_packet (avctx=0x3539e80,
     at libavcodec/decode.c:704
 #6  0x00000000009b7b7b in try_decode_frame (s=<optimized out>,
     avpkt=<optimized out>, options=<optimized out>) at
 #7  0x00000000009b4750 in avformat_find_stream_info (ic=<optimized out>,
     options=<optimized out>) at libavformat/utils.c:3939
 #8  0x000000000040cbc6 in open_input_file (o=0x7fffffffd870,
 "/home/chris/stage1/bdcdaac0fbbef8413cf23a4f67c033da1ff5e1fc.out") at
 #9  0x000000000040be4a in open_files (l=0x35375d8, inout=0x2458307
     open_file=0x40c0a0 <open_input_file>) at fftools/ffmpeg_opt.c:3283
 #10 0x000000000040bbd5 in ffmpeg_parse_options (argc=<optimized out>,
     argv=<optimized out>) at fftools/ffmpeg_opt.c:3323
 #11 0x0000000000429f79 in main (argc=10, argv=0x7fffffffdf28)
     at fftools/ffmpeg.c:4862
 (gdb) disass $pc-32,$pc+32
 Dump of assembler code from 0x10391c7 to 0x1039207:
    0x00000000010391c7 <decode_frame+6631>:      mov    %rbp,%rdi
    0x00000000010391ca <decode_frame+6634>:      callq  0x1042ba0 <ff_tget>
    0x00000000010391cf <decode_frame+6639>:      mov    %eax,%ebx
    0x00000000010391d1 <decode_frame+6641>:      mov    (%r15),%edx
    0x00000000010391d4 <decode_frame+6644>:      mov    $0x4,%esi
    0x00000000010391d9 <decode_frame+6649>:      mov    %rbp,%rdi
    0x00000000010391dc <decode_frame+6652>:      callq  0x1042ba0 <ff_tget>
    0x00000000010391e1 <decode_frame+6657>:      mov    %eax,%ecx
    0x00000000010391e3 <decode_frame+6659>:      xor    %edx,%edx
    0x00000000010391e5 <decode_frame+6661>:      mov    %ebx,%eax
 => 0x00000000010391e7 <decode_frame+6663>:      div    %ecx
    0x00000000010391e9 <decode_frame+6665>:      jmpq   0x103a3b5
    0x00000000010391ee <decode_frame+6670>:      mov    0x288(%rsp),%eax
    0x00000000010391f5 <decode_frame+6677>:      mov    0x88(%rsp),%rbx
    0x00000000010391fd <decode_frame+6685>:      mov    (%rbx),%ebp
    0x00000000010391ff <decode_frame+6687>:      mov    $0x1,%edx
    0x0000000001039204 <decode_frame+6692>:      mov    %ebp,%ecx
    0x0000000001039206 <decode_frame+6694>:      shl    %cl,%edx
 End of assembler dump.
 (gdb) info all-registers
 rax            0x0      0
 rbx            0x0      0
 rcx            0x0      0
 rdx            0x0      0
 rsi            0x0      0
 rdi            0x7ffff7f9a050   140737353719888
 rbp            0x7ffff7f9a050   0x7ffff7f9a050
 rsp            0x7fffffffd030   0x7fffffffd030
 r8             0x7fffffffd2b8   140737488343736
 r9             0x7fffffffd2fc   140737488343804
 r10            0x13c    316
 r11            0x353eb9c        55831452
 r12            0x7ffff7f9a040   140737353719872
 r13            0x353af00        55815936
 r14            0x1      1
 r15            0x7ffff7f9a49c   140737353720988
 rip            0x10391e7        0x10391e7 <decode_frame+6663>
 eflags         0x10246  [ PF ZF IF RF ]
 cs             0x33     51
 ss             0x2b     43
 ds             0x0      0
 es             0x0      0
 fs             0x0      0
 gs             0x0      0
 st0            0        (raw 0x00000000000000000000)
 st1            0        (raw 0x00000000000000000000)

Ticket URL: <https://trac.ffmpeg.org/ticket/8327>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list