[FFmpeg-trac] #8335(avformat:new): Integer divide by zero in libavformat/bintext.c
FFmpeg
trac at avcodec.org
Fri Oct 25 12:56:16 EEST 2019
#8335: Integer divide by zero in libavformat/bintext.c
-------------------------------------+-------------------------------------
Reporter: | Type: defect
andreafioraldi |
Status: new | Priority: important
Component: avformat | Version: 4.2
Keywords: division | Blocked By:
zero |
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
Hi, I found this bug while fuzzing.
It is a division by zero in predict_width() of libavformat/bintext.c.
The bug affects ffmpeg 4.2.1 as well the git-master.
The Valgrind output is:
{{{
valgrind ../FFmpeg/ffmpeg_g -y -i
out/ffmpeg/weizz_rq_1571070675/crashes/id:000004,sig:08,src:015475,time:156881952,op:cmpdata,pos:98,val:be:+2
-c:v mpeg4 -c:a out.mp4
==32974== Memcheck, a memory error detector
==32974== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==32974== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for
copyright info
==32974== Command: ../FFmpeg/ffmpeg_g -y -i
out/ffmpeg/weizz_rq_1571070675/crashes/id:000004,sig:08,src:015475,time:156881952,op:cmpdata,pos:98,val:be:+2
-c:v mpeg4 -c:a out.mp4
==32974==
ffmpeg version N-95553-g155508c6e9 Copyright (c) 2000-2019 the FFmpeg
developers
built with gcc 6.3.0 (Debian 6.3.0-18+deb9u1) 20170516
configuration: --enable-debug
libavutil 56. 35.101 / 56. 35.101
libavcodec 58. 59.102 / 58. 59.102
libavformat 58. 33.100 / 58. 33.100
libavdevice 58. 9.100 / 58. 9.100
libavfilter 7. 65.100 / 7. 65.100
libswscale 5. 6.100 / 5. 6.100
libswresample 3. 6.100 / 3. 6.100
Trailing option(s) found in the command: may be ignored.
[bin @ 0x70b5640] Format bin detected only with low score of 1,
misdetection possible!
==32974==
==32974== Process terminating with default action of signal 8 (SIGFPE)
==32974== Integer divide by zero at address 0x806925EF7
==32974== at 0x45FB21: predict_width (bintext.c:125)
==32974== by 0x45FB21: bintext_read_header (bintext.c:197)
==32974== by 0x57C740: avformat_open_input (utils.c:633)
==32974== by 0x27D6D4: open_input_file (ffmpeg_opt.c:1105)
==32974== by 0x27F46D: open_files (ffmpeg_opt.c:3283)
==32974== by 0x27F46D: ffmpeg_parse_options (ffmpeg_opt.c:3323)
==32974== by 0x2773A6: main (ffmpeg.c:4863)
==32974==
==32974== HEAP SUMMARY:
==32974== in use at exit: 38,913 bytes in 51 blocks
==32974== total heap usage: 90 allocs, 39 frees, 78,778 bytes allocated
==32974==
==32974== LEAK SUMMARY:
==32974== definitely lost: 0 bytes in 0 blocks
==32974== indirectly lost: 0 bytes in 0 blocks
==32974== possibly lost: 0 bytes in 0 blocks
==32974== still reachable: 38,913 bytes in 51 blocks
==32974== suppressed: 0 bytes in 0 blocks
==32974== Rerun with --leak-check=full to see details of leaked memory
==32974==
==32974== For counts of detected and suppressed errors, rerun with: -v
==32974== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Floating point exception
}}}
The testcase that triggers the bug is the following (in base64):
VE1BU0FVQ0UwMEkgTElTVOz8AAAAAAIAAAAAAAAAAOdLSVNUlBAT/3N0cmxzdAAAAHsaRd+j//8A
ZHt9fQAQAAEF6AABAAD5/vwAAAAAAAAEAAAAAAAAAExJU1SUEAAAAAUBAAABABUAAQCAAGkBAAAB
ZHNGAAAAAAMfYkEAowAAlOI=
Regards,
Andrea
--
Ticket URL: <https://trac.ffmpeg.org/ticket/8335>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list