[FFmpeg-trac] #8335(avformat:new): Integer divide by zero in libavformat/bintext.c

FFmpeg trac at avcodec.org
Fri Oct 25 12:56:16 EEST 2019


#8335: Integer divide by zero in libavformat/bintext.c
-------------------------------------+-------------------------------------
             Reporter:               |                     Type:  defect
  andreafioraldi                     |
               Status:  new          |                 Priority:  important
            Component:  avformat     |                  Version:  4.2
             Keywords:  division     |               Blocked By:
  zero                               |
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Hi, I found this bug while fuzzing.
 It is a division by zero in predict_width() of libavformat/bintext.c.

 The bug affects ffmpeg 4.2.1 as well the git-master.

 The Valgrind output is:

 {{{
 valgrind ../FFmpeg/ffmpeg_g -y -i
 out/ffmpeg/weizz_rq_1571070675/crashes/id:000004,sig:08,src:015475,time:156881952,op:cmpdata,pos:98,val:be:+2
 -c:v mpeg4 -c:a out.mp4
 ==32974== Memcheck, a memory error detector
 ==32974== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
 ==32974== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for
 copyright info
 ==32974== Command: ../FFmpeg/ffmpeg_g -y -i
 out/ffmpeg/weizz_rq_1571070675/crashes/id:000004,sig:08,src:015475,time:156881952,op:cmpdata,pos:98,val:be:+2
 -c:v mpeg4 -c:a out.mp4
 ==32974==
 ffmpeg version N-95553-g155508c6e9 Copyright (c) 2000-2019 the FFmpeg
 developers
   built with gcc 6.3.0 (Debian 6.3.0-18+deb9u1) 20170516
   configuration: --enable-debug
   libavutil      56. 35.101 / 56. 35.101
   libavcodec     58. 59.102 / 58. 59.102
   libavformat    58. 33.100 / 58. 33.100
   libavdevice    58.  9.100 / 58.  9.100
   libavfilter     7. 65.100 /  7. 65.100
   libswscale      5.  6.100 /  5.  6.100
   libswresample   3.  6.100 /  3.  6.100
 Trailing option(s) found in the command: may be ignored.
 [bin @ 0x70b5640] Format bin detected only with low score of 1,
 misdetection possible!
 ==32974==
 ==32974== Process terminating with default action of signal 8 (SIGFPE)
 ==32974==  Integer divide by zero at address 0x806925EF7
 ==32974==    at 0x45FB21: predict_width (bintext.c:125)
 ==32974==    by 0x45FB21: bintext_read_header (bintext.c:197)
 ==32974==    by 0x57C740: avformat_open_input (utils.c:633)
 ==32974==    by 0x27D6D4: open_input_file (ffmpeg_opt.c:1105)
 ==32974==    by 0x27F46D: open_files (ffmpeg_opt.c:3283)
 ==32974==    by 0x27F46D: ffmpeg_parse_options (ffmpeg_opt.c:3323)
 ==32974==    by 0x2773A6: main (ffmpeg.c:4863)
 ==32974==
 ==32974== HEAP SUMMARY:
 ==32974==     in use at exit: 38,913 bytes in 51 blocks
 ==32974==   total heap usage: 90 allocs, 39 frees, 78,778 bytes allocated
 ==32974==
 ==32974== LEAK SUMMARY:
 ==32974==    definitely lost: 0 bytes in 0 blocks
 ==32974==    indirectly lost: 0 bytes in 0 blocks
 ==32974==      possibly lost: 0 bytes in 0 blocks
 ==32974==    still reachable: 38,913 bytes in 51 blocks
 ==32974==         suppressed: 0 bytes in 0 blocks
 ==32974== Rerun with --leak-check=full to see details of leaked memory
 ==32974==
 ==32974== For counts of detected and suppressed errors, rerun with: -v
 ==32974== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
 Floating point exception

 }}}

 The testcase that triggers the bug is the following (in base64):

 VE1BU0FVQ0UwMEkgTElTVOz8AAAAAAIAAAAAAAAAAOdLSVNUlBAT/3N0cmxzdAAAAHsaRd+j//8A
 ZHt9fQAQAAEF6AABAAD5/vwAAAAAAAAEAAAAAAAAAExJU1SUEAAAAAUBAAABABUAAQCAAGkBAAAB
 ZHNGAAAAAAMfYkEAowAAlOI=

 Regards,
 Andrea

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8335>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list