Context Navigation

#1205 closed defect (fixed)

Division by Zero in avcodec

Reported by:	John Villamil	Owned by:
Priority:	important	Component:	avcodec
Version:	git-master	Keywords:	crash fpe wmapro
Cc:		Blocked By:
Blocking:		Reproduced by developer:	yes
Analyzed by developer:	no

Description

* ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\owner\Desktop\ffmpeg-git-a4c22e3-win32-shared\bin\avcodec-54.dll -
avcodec_54!avcodec_close+0x8968:
6aa50868 f77f3c idiv eax,dword ptr [edi+3Ch] ds:002b:02bb0b9c=00000000
0:002:x86> $<dbgcomm.txt
0:002:x86> r
eax=00019000 ebx=00000001 ecx=00000001 edx=00000000 esi=00000000 edi=02bb0b60
eip=6aa50868 esp=0318fa40 ebp=02bb7580 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
avcodec_54!avcodec_close+0x8968:
6aa50868 f77f3c idiv eax,dword ptr [edi+3Ch] ds:002b:02bb0b9c=00000000
0:002:x86> !load winext\msec.dll
0:002:x86> !exploitable
* ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\owner\Desktop\ffmpeg-git-a4c22e3-win32-shared\bin\avutil-51.dll -
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Integer Divide By Zero starting at avcodec_54!avcodec_close+0x0000000000008968 (Hash=0x67550b5d.0x67557379)

This is a divide by zero, and is probably not exploitable.
0:002:x86> q
quit:

Tested on the shared build from 2012-04-09 found at http://ffmpeg.zeranoe.com/builds/

A PoC file:
http://w.rdtsc.net/ffmpegmkv/ProbNOTExploitable/DivByZ.zip

Thanks,
John Villamil

Change History (2)

comment:1 by Carl Eugen Hoyos, 12 years ago

Keywords:	crash fpe mkv added
Priority:	normal → important
Reproduced by developer:	set
Status:	new → open
Version:	unspecified → git-master

(gdb) r -i 427535wmaproEOF.mkvtest54.mkv
Starting program: ffmpeg_g -i 427535wmaproEOF.mkvtest54.mkv
[Thread debugging using libthread_db enabled]
[New Thread 0xb7b626c0 (LWP 11853)]
ffmpeg version N-39787-gcca9528 Copyright (c) 2000-2012 the FFmpeg developers
  built on Apr 14 2012 08:48:33 with gcc 4.3.2
  configuration: --cc=/usr/local/gcc-4.3.2/bin/gcc --enable-gpl
  libavutil      51. 46.100 / 51. 46.100
  libavcodec     54. 14.101 / 54. 14.101
  libavformat    54.  3.100 / 54.  3.100
  libavdevice    53.  4.100 / 53.  4.100
  libavfilter     2. 69.101 /  2. 69.101
  libswscale      2.  1.100 /  2.  1.100
  libswresample   0. 11.100 /  0. 11.100
  libpostproc    52.  0.100 / 52.  0.100
[matroska,webm @ 0x8ee3380] Unknown EBML doctype 'm-t?oska'
[matroska,webm @ 0x8ee3380] Read error at pos. 377 (0x179)
[matroska,webm @ 0x8ee3380] Unknown entry 0x81
[matroska,webm @ 0x8ee3380] Unknown entry 0x2F62CE
[matroska,webm @ 0x8ee3380] Unknown entry 0x81
[matroska,webm @ 0x8ee3380] Unknown entry 0x7453
[matroska,webm @ 0x8ee3380] Unknown entry 0x84
[matroska,webm @ 0x8ee3380] Read error at pos. 377 (0x179)

Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread 0xb7b626c0 (LWP 11853)]
0x085f7e47 in decode_init (avctx=0x8eea240) at libavcodec/wmaprodec.c:402
402                               / s->avctx->sample_rate + 2;
(gdb) bt
#0  0x085f7e47 in decode_init (avctx=0x8eea240) at libavcodec/wmaprodec.c:402
#1  0x08572de5 in avcodec_open2 (avctx=0x8eea240, codec=Cannot access memory at address 0x4
) at libavcodec/utils.c:910
#2  0x08194cd4 in avformat_find_stream_info (ic=0x8ee3380, options=0x8ee4180) at libavformat/utils.c:2448
#3  0x08054733 in opt_input_file (o=0xbfc619f0, opt=0xbfc62270 "i",
    filename=0xbfc62272 "427535wmaproEOF.mkvtest54.mkv") at ffmpeg.c:3794
#4  0x0805f9d2 in parse_option (optctx=0xbfc619f0, opt=0xbfc62270 "i",
    arg=0xbfc62272 "427535wmaproEOF.mkvtest54.mkv", options=0x87d96e0) at cmdutils.c:303
#5  0x0805fd63 in parse_options (optctx=0xbfc619f0, argc=3, argv=0xbfc61c24, options=0x87d96e0,
    parse_arg_function=0x805a580 <opt_output_file>) at cmdutils.c:336
#6  0x08059806 in main (argc=3, argv=0xbfc61c24) at ffmpeg.c:5255
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x85f7e27 to 0x85f7e67:
0x085f7e27 <decode_init+1605>:  imul   0x64(%esp),%edx
0x085f7e2c <decode_init+1610>:  mov    %edx,0x44(%esp)
0x085f7e30 <decode_init+1614>:  mov    0x68(%esp),%edx
0x085f7e34 <decode_init+1618>:  mov    (%edx),%edx
0x085f7e36 <decode_init+1620>:  mov    %edx,0x48(%esp)
0x085f7e3a <decode_init+1624>:  mov    0x44(%esp),%edx
0x085f7e3e <decode_init+1628>:  mov    0x48(%esp),%ebx
0x085f7e42 <decode_init+1632>:  mov    %edx,%eax
0x085f7e44 <decode_init+1634>:  sar    $0x1f,%edx
0x085f7e47 <decode_init+1637>:  idivl  0x1b4(%ebx)
0x085f7e4d <decode_init+1643>:  mov    %eax,%edx
0x085f7e4f <decode_init+1645>:  add    $0x2,%edx
0x085f7e52 <decode_init+1648>:  and    $0xfffffffc,%edx
0x085f7e55 <decode_init+1651>:  cmp    %edx,0x40(%esp)
0x085f7e59 <decode_init+1655>:  jge    0x85f7e75 <decode_init+1683>
0x085f7e5b <decode_init+1657>:  mov    0x54(%esp),%ebx
0x085f7e5f <decode_init+1661>:  lea    0x8778(%esi,%ebx,1),%eax
0x085f7e66 <decode_init+1668>:  mov    0x68(%esp),%ebx
End of assembler dump.
(gdb) info register
eax            0x19000  102400
ecx            0x0      0
edx            0x0      0
ebx            0x8eea240        149856832
esp            0xbfc613b0       0xbfc613b0
ebp            0x0      0x0
esi            0x1      1
edi            0x0      0
eip            0x85f7e47        0x85f7e47 <decode_init+1637>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51

comment:2 by Carl Eugen Hoyos, 12 years ago

Keywords:	wmapro added; mkv removed
Resolution:	→ fixed
Status:	open → closed

Fixed by Michael.

Note: See TracTickets for help on using tickets.

Download in other formats: