[FFmpeg-trac] #8484(avcodec:new): UBSan: division by zero

FFmpeg trac at avcodec.org
Sun Jan 19 12:08:31 EET 2020 

#8484: UBSan: division by zero
-------------------------------------+-------------------------------------
             Reporter:               |                     Type:  defect
  andreafioraldi                     |
               Status:  new          |                 Priority:  important
            Component:  avcodec      |                  Version:  4.2
             Keywords:  sigfpe       |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 Build ffmpeg 4.2.2 using clang and ubsan (-fsanitize=undefined).
 Command line: ./ffmpeg.ubsan -y -i ./input -c:v mpeg4 -c:a out.mp4
 Output:
 ffmpeg version 4.2.2 Copyright (c) 2000-2019 the FFmpeg developers
   built with clang version 8.0.0-3~ubuntu18.04.2 (tags/RELEASE_800/final)
   configuration: --cc=clang-8 --cxx=clang++-8 --ld=clang-8
   libavutil      56. 31.100 / 56. 31.100
   libavcodec     58. 54.100 / 58. 54.100
   libavformat    58. 29.100 / 58. 29.100
   libavdevice    58.  8.100 / 58.  8.100
   libavfilter     7. 57.100 /  7. 57.100
   libswscale      5.  5.100 /  5.  5.100
   libswresample   3.  5.100 /  3.  5.100
 Trailing options were found on the commandline.
 [bin @ 0x902f600] Format bin detected only with low score of 1,
 misdetection possible!
 libavformat/bintext.c:79:26: runtime error: division by zero
 UndefinedBehaviorSanitizer:DEADLYSIGNAL
 ==20336==ERROR: UndefinedBehaviorSanitizer: FPE on unknown address
 0x0000013f5b4d (pc 0x0000013f5b4d bp 0x000009038601 sp 0x7fffffffd060
 T20336)
     #0 0x13f5b4c in calculate_height
 /home/andrea/Videos/ffmpeg-4.2.2/libavformat/bintext.c:79:26
     #1 0x13f2dfb in bintext_read_header
 /home/andrea/Videos/ffmpeg-4.2.2/libavformat/bintext.c:198:13
     #2 0x197213c in avformat_open_input
 /home/andrea/Videos/ffmpeg-4.2.2/libavformat/utils.c:631:20
     #3 0x42f3e7 in open_input_file
 /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg_opt.c:1104:11
     #4 0x42d24e in open_files
 /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg_opt.c:3275:15
     #5 0x42cf3f in ffmpeg_parse_options
 /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg_opt.c:3315:11
     #6 0x487003 in main
 /home/andrea/Videos/ffmpeg-4.2.2/fftools/ffmpeg.c:4872:11
     #7 0x7ffff61aab96 in __libc_start_main /build/glibc-
 OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
     #8 0x407769 in _start
 (/home/andrea/Videos/ffmpeg-4.2.2/ffmpeg_g+0x407769)

 UndefinedBehaviorSanitizer can not provide additional info.
 ==20336==ABORTING

 Note that you need UBSan to get the stacktrace but it is not needed to
 reproduce the crash, the process gets a SIGFPE.

 The bug seems in when par->width is controlled:
 static void calculate_height(AVCodecParameters *par, uint64_t fsize)
 {
     par->height = (fsize / ((par->width>>3)*2)) << 4;
 }

 I attach a minimal input that triggers the bug in base64:
 YHR//wAAEQAAZAAnBv8AaDgACAB/6Pb29vb29vcELhYAAP//3v//AACV/wAHAAAAAAAQAAEAAAAAAAIAAAAOAP/t/wAAAABMAAAAAbUAAEgADAwMDEAnDAwGAgcMDAwMAAAAAIv9/u8AAAABZAAQBv8AVFe1dTZUVFRURlRU5wB//93//YAAAAQAAAAAAAAAAADzAFNBVUNFMDA7NDBtTnZpaAD29vb2LfoAAPpTQVVDRTD///9/bU52aWgA9vb29hf3CP//3gAAAABXkHU2AAAAEBobSzA7MzA7////f3R/AAAixhVkAAAAAGAoYHR//wAFAQAAMQAAAP8AMlRUV5oAgAAAAABkACAZAEZNUDQA3xEA

--
Ticket URL: <https://trac.ffmpeg.org/ticket/8484>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list