#5386 closed defect (fixed)
svag: SIGFPE during fuzzed file demuxing
| Reported by: | qiubit | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avformat |
| Version: | git-master | Keywords: | FPE crash svag |
| Cc: | Blocked By: | ||
| Blocking: | Reproduced by developer: | no | |
| Analyzed by developer: | no |
Description
Summary of the bug:
ffmpeg crashes with arithmetic exception when trying to read fuzzed svag file
How to reproduce:
ffmpeg -i fuzzIn -acodec copy -vcodec copy fuzzOut
Backtrace:
gdb
pgolinski@Ubuntu-y580:~/Dokumenty/Programowanie/git/fffuzz head/successfulFuzzes$ gdb ../../ffmpeg/build/ffmpeg_g
GNU gdb (Ubuntu 7.10-1ubuntu2) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ../../ffmpeg/build/ffmpeg_g...done.
(gdb) r -v 9 -loglevel 99 -i fuzzIn -acodec copy -vcodec copy fuzzOut
Starting program: /home/pgolinski/Dokumenty/Programowanie/git/ffmpeg/build/ffmpeg_g -v 9 -loglevel 99 -i fuzzIn -acodec copy -vcodec copy fuzzOut
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
ffmpeg version N-79116-gb098e1a Copyright (c) 2000-2016 the FFmpeg developers
built with Ubuntu clang version 3.6.2-1 (tags/RELEASE_362/final) (based on LLVM 3.6.2)
configuration: --cc=afl-clang-fast --cxx=afl-clang-fast --prefix=/home/pgolinski/Dokumenty/Programowanie/git/ffmpeg/build/install
libavutil 55. 19.100 / 55. 19.100
libavcodec 57. 30.100 / 57. 30.100
libavformat 57. 29.100 / 57. 29.100
libavdevice 57. 0.101 / 57. 0.101
libavfilter 6. 39.102 / 6. 39.102
libswscale 4. 0.100 / 4. 0.100
libswresample 2. 0.101 / 2. 0.101
Splitting the commandline.
Reading option '-v' ... matched as option 'v' (set logging level) with argument '9'.
Reading option '-loglevel' ... matched as option 'loglevel' (set logging level) with argument '99'.
Reading option '-i' ... matched as input file with argument 'fuzzIn'.
Reading option '-acodec' ... matched as option 'acodec' (force audio codec ('copy' to copy stream)) with argument 'copy'.
Reading option '-vcodec' ... matched as option 'vcodec' (force video codec ('copy' to copy stream)) with argument 'copy'.
Reading option 'fuzzOut' ... matched as output file.
Finished splitting the commandline.
Parsing a group of options: global .
Applying option v (set logging level) with argument 9.
Successfully parsed a group of options.
Parsing a group of options: input file fuzzIn.
Successfully parsed a group of options.
Opening an input file: fuzzIn.
[file @ 0x60a00000ef80] Setting default whitelist 'file,crypto'
Probing svag score:100 size:301
[svag @ 0x61b00001f180] Format svag probed with size=2048 and score=100
Program received signal SIGFPE, Arithmetic exception.
0x0000000000b686e3 in svag_read_header (s=<optimized out>) at src/libavformat/svag.c:53
53 st->duration = size / (16 * st->codec->channels) * 28;
(gdb) -i opusFuzz1 -acodec copy -vcodec copy fuzzOut
Undefined command: "-i". Try "help".
(gdb) bt
#0 0x0000000000b686e3 in svag_read_header (s=<optimized out>) at src/libavformat/svag.c:53
#1 0x0000000000b8c78c in avformat_open_input (ps=0x7fffffffd3a0, filename=<optimized out>, fmt=<optimized out>, options=0x60700000df68)
at src/libavformat/utils.c:512
#2 0x000000000054083a in open_input_file (o=<optimized out>, filename=<optimized out>) at src/ffmpeg_opt.c:949
#3 0x000000000053f40d in open_files (l=<optimized out>, inout=<optimized out>, open_file=<optimized out>) at src/ffmpeg_opt.c:3003
#4 0x000000000053ec1f in ffmpeg_parse_options (argc=<optimized out>, argv=<optimized out>) at src/ffmpeg_opt.c:3040
#5 0x00000000005657e1 in main (argc=<optimized out>, argv=<optimized out>) at src/ffmpeg.c:4312
(gdb) disass $pc-32,$pc+32
Dump of assembler code from 0xb686c3 to 0xb68703:
0x0000000000b686c3 <svag_read_header+387>: mov 0x29c718f(%rip),%esi # 0x352f858 <__afl_area_ptr>
0x0000000000b686c9 <svag_read_header+393>: xor $0x6610,%rdx
0x0000000000b686d0 <svag_read_header+400>: incb (%rsi,%rdx,1)
0x0000000000b686d3 <svag_read_header+403>: movl $0x3308,%fs:(%rax)
0x0000000000b686da <svag_read_header+410>: shl $0x4,%ecx
0x0000000000b686dd <svag_read_header+413>: xor %edx,%edx
0x0000000000b686df <svag_read_header+415>: mov 0xc(%rsp),%eax
=> 0x0000000000b686e3 <svag_read_header+419>: div %ecx
0x0000000000b686e5 <svag_read_header+421>: imul $0x1c,%eax,%eax
0x0000000000b686e8 <svag_read_header+424>: lea 0x40(%r14),%rdi
0x0000000000b686ec <svag_read_header+428>: mov %rdi,%rcx
0x0000000000b686ef <svag_read_header+431>: shr $0x3,%rcx
0x0000000000b686f3 <svag_read_header+435>: cmpb $0x0,0x7fff8000(%rcx)
0x0000000000b686fa <svag_read_header+442>: jne 0xb6892a <svag_read_header+1002>
0x0000000000b68700 <svag_read_header+448>: mov %rax,(%rdi)
End of assembler dump.
(gdb) info all-registers
rax 0x70707067 1886416999
rbx 0xc3600003e34 13426067783220
rcx 0x0 0
rdx 0x0 0
rsi 0x4a77720 78083872
rdi 0x61a00001f45c 107339822789724
rbp 0xbebbb1b7 0xbebbb1b7
rsp 0x7fffffffcad0 0x7fffffffcad0
r8 0x61b00001f1ac 107408542265772
r9 0x7fffffffca40 140737488341568
r10 0xc3600003e35 13426067783221
r11 0x1 1
r12 0x61800000fc88 107202383772808
r13 0x61b00001f1a0 107408542265760
r14 0x61800000fc80 107202383772800
r15 0xc3000001f91 13400297971601
rip 0xb686e3 0xb686e3 <svag_read_header+419>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
ymm0 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x80, 0x0 <repeats 16 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x8000, 0x0, 0x0, 0x0,
0x8000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x80000000, 0x0, 0x80000000, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {
0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v2_int128 = {0x80000000000000008000000000000000, 0x00000000000000000000000000000000}}
ymm1 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x18,
0x0 <repeats 31 times>}, v16_int16 = {0x18, 0x0 <repeats 15 times>}, v8_int32 = {0x18, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {
0x18, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000018, 0x00000000000000000000000000000000}}
ymm2 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x45, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0xab, 0x1c, 0x1, 0x0 <repeats 21 times>}, v16_int16 = {0x45, 0x0, 0x0, 0x0, 0x1cab, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x45, 0x0, 0x11cab, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x45, 0x11cab, 0x0, 0x0}, v2_int128 = {
0x0000000000011cab0000000000000045, 0x00000000000000000000000000000000}}
ymm3 {v8_float = {0x0, 0xffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0xffffffffffffffff, 0x0, 0x0, 0x0}, v32_int8 = {0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0xf0, 0xbf, 0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x0, 0x0, 0xbff0, 0x0 <repeats 12 times>}, v8_int32 = {
0x0, 0xbff00000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xbff0000000000000, 0x0, 0x0, 0x0}, v2_int128 = {
0x0000000000000000bff0000000000000, 0x00000000000000000000000000000000}}
ymm4 {v8_float = {0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x1, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0xf0, 0x3f, 0x0 <repeats 24 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x3ff0, 0x0 <repeats 12 times>}, v8_int32 = {0x0, 0x3ff00000, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x3ff0000000000000, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000003ff0000000000000,
0x00000000000000000000000000000000}}
ymm5 {v8_float = {0x0, 0x0, 0x0, 0xfdda0000, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0xf,
0xed, 0xef, 0x0, 0xff, 0xff, 0xff, 0x0, 0x8a, 0x8a, 0x4, 0x0, 0x13, 0x1, 0xd3, 0xd3, 0x0 <repeats 16 times>}, v16_int16 = {0xed0f, 0xef,
0xffff, 0xff, 0x8a8a, 0x4, 0x113, 0xd3d3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xefed0f, 0xffffff, 0x48a8a, 0xd3d30113,
0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xffffff00efed0f, 0xd3d3011300048a8a, 0x0, 0x0}, v2_int128 = {0xd3d3011300048a8a00ffffff00efed0f,
0x00000000000000000000000000000000}}
ymm6 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 12 times>,
0xff, 0xff, 0xff, 0x0 <repeats 17 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffff, 0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
0x0}, v8_int32 = {0x0, 0x0, 0x0, 0xffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0xffffff00000000, 0x0, 0x0}, v2_int128 = {
0x00ffffff000000000000000000000000, 0x00000000000000000000000000000000}}
ymm7 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm8 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm9 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
---Type <return> to continue, or q <return> to quit---
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm10 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm11 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm12 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xff, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0 <repeats 18 times>}, v16_int16 = {0xff, 0x0, 0x0, 0x0, 0xff, 0x0, 0xff00, 0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xff, 0x0, 0xff, 0xff00, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xff, 0xff00000000ff, 0x0,
0x0}, v2_int128 = {0x0000ff00000000ff00000000000000ff, 0x00000000000000000000000000000000}}
ymm13 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm14 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm15 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
Attachments (1)
Change History (3)
by , 8 years ago
comment:1 by , 8 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:2 by , 8 years ago
| Component: | undetermined → avformat |
|---|---|
| Keywords: | FPE added; SIGFPE removed |
| Priority: | normal → important |
| Version: | unspecified → git-master |
Note:
See TracTickets
for help on using tickets.
Fixed in d5a3578350a3901a26df39df196bb085760ec46f