Opened 5 years ago

Closed 3 years ago

Last modified 3 years ago

#7996 closed defect (duplicate)

Division by zero at libavcodec/lpc.h:155

Reported by: Suhwan Owned by:
Priority: normal Component: undetermined
Version: git-master Keywords: ubsan asan
Cc: Michael Niedermayer Blocked By:
Blocking: Reproduced by developer: no
Analyzed by developer: no

Description

Summary of the bug:
There's division by zero at libavcodec/lpc.h:155 and heap buffer overflow at libavcodec/zmbvenc.c:97:30.

How to reproduce:

% ffmpeg_g -y -r 48 -i tmp.wmv -map 0 -c:s:4 zmbv -c:v zmbv -disposition:a:19 fits -disposition:v:29 xwd -vframes 34 -ab 922k -ar 48000 -ac 3 -b:v 501k tmp_.mov

ffmpeg version : N-94163-g664a27ea40
built with clang version 9.0.0
135 static inline void compute_ref_coefs(const LPC_TYPE *autoc, int max_order,
136                                      LPC_TYPE *ref, LPC_TYPE *error)
137 {
138     int i, j;
139     LPC_TYPE err;
140     LPC_TYPE gen0[MAX_LPC_ORDER], gen1[MAX_LPC_ORDER];
141 
142     for (i = 0; i < max_order; i++)
143         gen0[i] = gen1[i] = autoc[i + 1];
144 
145     err    = autoc[0];
146     ref[0] = -gen1[0] / err;
147     err   +=  gen1[0] * ref[0];
148     if (error)
149         error[0] = err;
150     for (i = 1; i < max_order; i++) {
151         for (j = 0; j < max_order - i; j++) {
152             gen1[j] = gen1[j + 1] + ref[i - 1] * gen0[j];
153             gen0[j] = gen1[j + 1] * ref[i - 1] + gen0[j];
154         }
155         ref[i] = -gen1[0] / err;
156         err   +=  gen1[0] * ref[i];
157         if (error)
158             error[i] = err;
159     }
160 }

Attachments (2)

gdb_log_7996 (8.1 KB ) - added by Suhwan 5 years ago.
tmp.wmv (444.8 KB ) - added by Suhwan 5 years ago.

Download all attachments as: .zip

Change History (7)

by Suhwan, 5 years ago

Attachment: gdb_log_7996 added

by Suhwan, 5 years ago

Attachment: tmp.wmv added

comment:1 by Suhwan, 5 years ago

ffmpeg version N-94906-gcb8d6a4e3e Copyright (c) 2000-2019 the FFmpeg developers
  built with clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
  configuration: --cc=clang --cxx=clang++ --ld=clang --enable-debug --toolchain=clang-usan
  libavutil      56. 35.100 / 56. 35.100
  libavcodec     58. 56.101 / 58. 56.101
  libavformat    58. 32.104 / 58. 32.104
  libavdevice    58.  9.100 / 58.  9.100
  libavfilter     7. 58.102 /  7. 58.102
  libswscale      5.  6.100 /  5.  6.100
  libswresample   3.  6.100 /  3.  6.100
Guessed Channel Layout for Input Stream #0.1 : mono
Input #0, asf, from 'tmp.wmv':
  Metadata:
    encoder         : Lavf57.66.105
  Duration: 00:00:05.63, start: 0.000000, bitrate: 647 kb/s
    Stream #0:0: Video: wmv2 (WMV2 / 0x32564D57), yuv420p, 560x320, SAR 1:1 DAR 7:4, 30 fps, 30 tbr, 1k tbn, 1k tbc
    Stream #0:1(eng): Audio: wmav2 (a[1][0][0] / 0x0161), 48000 Hz, mono, fltp, 128 kb/s
Stream mapping:
  Stream #0:0 -> #0:0 (wmv2 (native) -> zmbv (native))
  Stream #0:1 -> #0:1 (wmav2 (native) -> aac (native))
Press [q] to stop, [?] for help
[aac @ 0xab799c0] Using a PCE to encode channel layout "2.1"
[aac @ 0xab799c0] Too many bits 19669.333333 > 18432 per frame requested, clamping to max
libavcodec/lpc.h:155:27: runtime error: division by zero
[mov @ 0xab99780] Using MS style video codec tag, the file may be unplayable!
Output #0, mov, to 'tmp_.mov':
  Metadata:
    encoder         : Lavf58.32.104
    Stream #0:0: Video: zmbv, bgr0, 560x320 [SAR 1:1 DAR 7:4], q=2-31, 501 kb/s, 48 fps, 12288 tbn, 48 tbc
    Metadata:
      encoder         : Lavc58.56.101 zmbv
    Stream #0:1(eng): Audio: aac (LC) (mp4a / 0x6134706D), 48000 Hz, 2.1, fltp, 864 kb/s
    Metadata:
      encoder         : Lavc58.56.101 aac
frame=   34 fps=5.3 q=-0.0 Lsize=    1221kB time=00:00:01.17 bitrate=8547.2kbits/s speed=0.182x     
video:1181kB audio:38kB subtitle:0kB other streams:0kB global headers:0kB muxing overhead: 0.174866%
[aac @ 0xab799c0] Qavg: 64919.828

comment:2 by Michael Niedermayer, 3 years ago

Cc: Michael Niedermayer added
Resolution: fixed
Status: newclosed

The division by 0 happens in floating point and divisions by 0 in floating point are generally not bugs as such. If you disagree and see an issue with this division then please reopen this ticket

Completely unrelated to this the sample triggers a out of array read that has been fixed by def04022f4a7058f99e669bfd978d431d79aec18 so iam marking this as fixed

comment:3 by Michael Niedermayer, 3 years ago

Actually the only bug in this is a duplicate of #7980

comment:4 by Michael Niedermayer, 3 years ago

Resolution: fixedduplicate

comment:5 by Michael Niedermayer, 3 years ago

I will post a patch to ffmpeg-devel to avoid the floating point division.

Note: See TracTickets for help on using tickets.